Run Certificate Discovery via individual URL scans

Visibility to TLS certificates Visibility to TLS certificates

The Certificate Inventory and Management application allows Discovery to automatically scan for certificates on specific ports through your existing CI-based Discovery schedules. In addition, you can create Discovery schedules to scan for specific URLs.

The ServiceNow Store regularly releases new applications and updates to applications that are created by ServiceNow . If you already have the application, you can download the latest version to enhance your existing experience with our products. Since different features are available or enhanced each time an application is released in the Store, the content and features available in a particular release are indicated by version number in this document.

In Version 1.1.7 Certificate Inventory and Management , you can add a list of imported certificates and scan for certificates from your Certificate Authority (CA) such as GoDaddy and DigiCert. In Version 1.2.0, you can also scan Sectigo and Entrust CAs.

In Version 1.3.8 Certificate Inventory and Management , the application enhanced existing certificate authority patterns for DigiCert to collect the following fields as part of the CA Trust Certificate discovery. All of these fields are stored in the Certificate Extensions [sn_disco_certmgmt_certificate_extension] table. Certificate Id Order id Thumbprint Serial Number Certificate Status

To Import Certificates or Discovery CA Trust with more than 1500 certificates, create the discovery schedule with more than one serverless patterns configured. Each pattern execution supports a maximum of 1500 certificates discovery.

To discover all the certificates, the limit (defaults to 1500) and start_offset (defaults to 0), must be configured accordingly. For example to fetch up to 6 K certificates, add four serverless patterns with start_offset 0, 1500, 3000, and 4500. Start_offset and limit parameters are configured as shown.

Run Certificate Discovery via port scans

When the TLS port probe [tls_ssl_certs] is enabled, Discovery automatically scans 14 preauthorized ports through your existing CI Discovery schedules.

Role required: admin or discovery_admin.

Activate the TLS port probe [tls_ssl_certs]. Navigate to Discovery Definition > Port Probes . Open tls_ssl_certs . Click the Active checkbox to enable the probe and then save your changes. This box will be unchecked by default for any new installation.

Add IP service to help configure the TLS port probe. Navigate to Discovery Definition > IP services . Create a new IP service with a port.

Configure the TLS port probe. You can add additional ports, up to a total of 138, or remove any existing ports by editing the Port Probe definition. Navigate to Discovery Definition > Port Probes . Open tls_ssl_certs . Click the lock icon next to Triggered by services to unlock this field. Delete any ports on the list or add more from the search area and then save your changes.

Your existing Discovery schedules should then automatically scan for any certificates on the specified ports. You can monitor the results on the Certificate Management Dashboard .

Run Certificate Discovery via individual URL scans

To discover certificates from URL scans, you need to manually add individual URLs and then set up a new certificate Discovery schedule.

Role required: admin or discovery_admin Note: Only the certificates that are available on the server during URL scans can be discovered. To verify what certificates are available, use the openssl s_client -showcerts -connect : command.

Navigate to All > Certificate Management > Certificate Discovery Source URLS . Click New to add individual URLs to the table. Make sure to enter URLs in this format to ensure accurate results. The port is by choice and defaults are used if the port is not provided: scheme://host:port For example: https://www.servicenow.com or https://servicenow.com:443, ldaps://myldap.com or ldaps://myldap.com:636.

Create a Discovery schedule with the following fields. See Schedule a horizontal discovery for more information on setting up your Discovery schedules. Select Discovery : Certificates Select Certificate Discovery Type : URL Certificate Discovery . Leave the batch size as it is, unless recommended to change.

From the Certificate URLs tab, click Edit to add or delete other URLs and then click Submit . Click the checkbox to include URLs from HTTP(s) Endpoint [cmdb_ci_endpoint_http] table in the discovery.

When your Discovery schedule runs, it automatically scans for any certificates on the specified URLs and fetches all URLs from the cmdb_ci_endpoint_http table. It then creates a mapping between the URL and the schedule in the sn_disco_certmgmt_cert_url_sched_m2m .

With Service Mapping enabled, by default, it creates a relationship between the HTTP endpoint and application when it creates an entry in cmdb_ci_endpoint_http. For example, the Amazon application is automatically connected to amazon.com.

The relationship is: cmdb_ci_endpoint_http[parent] --> [Implement End Point To::Implement End Point From] --> cmdb_ci_appl[child].

If the above relationship exists, the URL certificate discovery creates an additional relationship between the certificate and application. This relationship is: cmdb_ci_appl[parent] --> [Uses::Used by] --> cmdb_ci_certificate[child].

Note: URL discovery schedules do not create server CIs.

Use bulk certificate upload

Starting in version 1.2.0 of Certificate Inventory and Management , you can bulk import SSL certificates to save time and resources. You can upload a maximum of 5000 certificates in one .xlsx file.

Role required: Default admin is both pki_user and pki_admin. The users with following roles will be able to access bulk certificate upload: sn_disco_certmgmt.pki_user sn_disco_certmgmt.pki_admin

Navigate to All > Certificate Management > Bulk Upload Certificates . From the Bulk Upload page, Click Download Template File (.xlsx) link to download the sample_cmdb_ci_certificate.xlsx file. Open the downloaded sample_cmdb_ci_certificate.xlsx. Use the values in the columns as samples and add the SSL certificate’s property to the appropriate columns. Each row in the Excel sheet is a CI certificate. The following required columns must be entered: root_issuer issuer subject_common_name issuer_common_name fingerprint issuer_distinguished_name subject_distinguished_name fingerprint_algorithm valid_to: Cannot be less than valid_fom. By milliseconds. For example, 1586789478000 represents 13 April 2020 14:51:18 valid_from: By milliseconds. For example, 1586789478000 represents 13 April 2020 14:51:18 signature_algorithm key_size state: issued, installed, revoked, retired, or other Note: For maintaining the certificate’s chain relationship, every certificate should have the fingerprint of its root certificate in root_issuer column, and fingerprint of its issuer in the issuer column. For self-signed certificates, the root_issuer and issuer and should have the value of the certificates fingerprint. Save your .xlsx file. Navigate to Certificate Management > Bulk Upload Certificates . Click Browse File and select the completed .xlsx file. Click Upload .

Note: If any errors occur while uploading, a warning message and link to the error logs appears. Only users with the admin role can view these logs. Errors can occur when a mandatory field is left empty or a valid_from epoch value is greater than that of valid_to.

After the file is successfully uploaded, you can see a success message displayed with a View All redirect link. You can view a list of the certificates that were added to the Unique Certificate [cmdb_ci_certificate] table.

Run Certificate Discovery via certificate file import

In Version 1.1.7 Certificate Inventory and Management , you can discover certificates from certificate files by importing the files into the system using pattern-based Discovery. Make sure TLS_keepOriginalCertificate is set to False.

Role required: admin or discovery_admin Note: The certificate must be in one of the following formats: .cert .pem .txt .der

The Import certificates are discovered using the pattern Import SSL Certificate, which uses the following: Server: Host name or IP address on which the certificates are hosted. If certificates are being imported from the MID Server , you can specify localhost as the server input parameter and can leave “temp_certificate_folder” empty. server_certificate_folder: Folder path on the server in which certificates are present. TLS_keepOriginalCertificate parameter: If the TLS_keepOriginalCertificate parameter is set to true, it increases the payload size which can cause out-of-memory issues. This should be set to false. temp_certificate_folder: The folder on the MID Server where the files will be copied temporarily.

Create a Discovery schedule with the following fields. See Schedule a horizontal discovery for more information on setting up your Discovery schedules. Select Discovery : Import Certificates Select Certificate Discovery Type : Import Certificates . Select MID Server selection method : Specific MID Server . Select MID Server : Choose the desired MID Server. Add the Credentials for the Windows or Linux host machine where certificates are present. Fill out the necessary fields and then Save .

From the Serverless Execution pattern tab, click New to add the Import SSL Certificate pattern and then click Submit .

When your Discovery schedule runs, it then automatically scans your files. You can monitor the results on the Certificate Management Dashboard .

Maintain certificate chain relationships via certificate import

To maintain the certificate chain relationships, the industry standard .txt extension is used. Certificate chain relationships are not maintained with any other file extensions. The expected order of certificates in a .txt certificate chain file is: Server certificate, Intermediate certificate, and Root certificate.

Use cases: If two or more certificates are found in formats like .cert or .pem, only the first certificate is considered. The other certificates are not processed and no certificate chain relationships are maintained. If there is a .txt extension containing only one certificate, it is considered as a server certificate and no certificate relationship are maintained. If there is a .txt extension, containing two certificates, the first certificate is considered as server certificate and the second certificate is considered as root certificate, with no intermediate certificates.

Note: The certificate chain relationship is updated based on the last URL/IP Discovery run. For example, any File import without certificate chain relations will break any existing chain relationships for the same certificate(fingerprint).

Configure Credential Identifier for Certificate Management credential type

There is external storage credential support for discovery of TLS certificates from CA types including GoDaddy, DigiCert, and Sectigo. To use this, you need to configure the credential identifier in the instance for the particular Certificate Management credential type.

Role required: admin

Navigate to All > Discovery > Credentials . Click New . Select a credential type as Certificate Management Credential . In the Credential form, select External Credential Store check box. Fill in the Credential Alias and Credential ID fields. Credential ID and Arg_ID from Credential Resolver file should be same. Click Submit .

Run Certificate Discovery via Certificate Authority query

Certificate Inventory and Management can discover provisioned TLS certificates from Certificate Authorities (CA). Patterns are available for various certificate authority vendors.

Role required: pki_admin or discovery_admin During Discovery, the CA pattern uses the following API elements. The user that was added to the credentials in the instance must have permissions to send these queries.

CA API element GoDaddy * /v1/certificates * /v1/certificates/{certificate_id}/download

DigiCert * /services/v2/order/certificate * /services/v2/certificate/{certificate_id}/chain

Entrust * / v2/certificates * / v2/certificates/{certificate_id}

Sectigo * /cert-manager/api/ssl/v1 * /cert-manager/api/ssl/v1/collect/{certificate_id}/pem

The patterns available with Certificate Inventory and Management Version 1.1.7 are: GoDaddy DigitCert

The patterns available with Certificate Inventory and Management Version 1.2.0 are: Entrust Sectigo

Create a credential alias if desired. See Credential aliases for Discovery . Create a new credential alias for new credentials. If multiple credentials have the same credential alias, during Discovery it first takes the Credential then starts Discovery . Create a new credential type for the CA. Navigate to Discovery > Credentials then click New . Select Certificate Management Credentials . Click the lock icon to unlock the Credential alias list . The alias is then mapped to the credential. Select Specify Type : Credential . Select CA Type . The available types are: GoDaddy, Digicert, Entrust, or Sectigo. Fill in the fields that are specific to the CA type you selected. Each CA has different form fields. See the: API Key credentials for more information. See the below examples of each CA form.

Figure 1. GoDaddy form

Figure 2. DigiCert form

Figure 3. Entrust form

Figure 4. Sectigo form

Create a Discovery schedule with the following fields. See Schedule a horizontal discovery for more information on setting up your Discovery schedules. Select Discovery : Certificates Select Certificate Discovery Type : CA Trust Discovery . Select MID Server selection method : Auto Select or Specific MID Server . Fill out any other necessary fields and then Save .

From the Serverless Execution pattern tab, click New to add CA pattern you need for example, Entrust pattern and then click Submit . If you check the Include cert status , you can add multiple certificate status by separating them with commas.

When your Discovery schedule runs, it automatically scans your files. You can monitor the results on the Certificate Management Dashboard .

Customize Certificate Inventory and Management

Discovery properties allow you to customize some of the aspects of Certificate Inventory and Management .

Role required: admin or discovery_admin.

Navigate to All > Discovery Definition > Properties to edit these Discovery properties : glide.discovery.certs.cert_admin_user_id glide.discovery.certs.days_before_expiration_to_create_renewal_task glide.discovery.certs.enable_incident_creation_for_expired_certificates glide.discovery.certs.enable_renewal_task_creation_for_discovered_certificates glide.discovery.certs.slack_channel_id