Replacing Entrust Certificate Authority (CA)SummaryGoogle has announced Entrust certificates will no longer be trusted by Chrome browsers. What Google's announcement has prompted ServiceNow’s strategy to transition from Entrust to DigiCert for issuance of external facing TLS certificates. Why On June 27, 2024, the Chrome Security Team announced that starting from November 12, 2024, TLS server authentication certificates validating to certain Entrust roots will no longer be trusted by default in Chrome 127+ if they are issued after November 2024. https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html Required action Remove hard dependency on Entrust certificates. If you have hard-coded Entrust root & intermediate certificates to your systems, make sure those systems also trust Digicert (KB0563633).If you have MID servers with limited Internet connectivity, make sure they are able to contact Digicert certificate verification servers (KB1709661).Consult your IT or Security team to understand the impact on your systems. How ServiceNow Security Organization is running a project to prepare for and deliver the Replacement of Entrust with DigiCert. ServiceNow proactively renewed Entrust certificates before October 31st, 2024.Internal service owners and developers have been engaged to address Entrust dependencies.ServiceNow will issue external facing TLS certificates from DigiCert starting November 1st, 2024.The current certificate for *.service-now.com has been issued from Entrust before November 2024 so it will remain valid until May 2025. See KB0563633 for certificate details.The certificate for *.service-now.com which supports TLS 1.2 connections will be updated in April between 14th & 18th. You will receive a communication from ServiceNow with the exact change window depending on where your instances are located. Here's what you can expect Hard dependency on Entrust public CA will impact your instance and/or integrations unless you make sure the same integrations also trust Digicert.All modern browsers trust DigiCert root certificates by default so there should be no issues for your users. ServiceNow will use the below Root and Issuing Certificate Authority (CA) to issue the certificates from DigiCert starting November 1st, 2024. KB0563633 is kept up to date with active certificates and certificates that are waiting to be deployed. Q&A Can the transition be rescheduled? No. The certificate changes are being applied at an infrastructure level, so exceptions at the customer account level or instance level are not possible. Can I exclude my instance from this transition? No. ServiceNow customers cannot exclude themselves from the change. What if I have a hardcoded dependency? Start investigating all dependencies before the wildcard certificates are switched to Digicert and have them removed if possible. If this is not possible, make sure the same systems also trust Digicert certificates. How can I initiate support? We are here to help. If you need further assistance and this article does not resolve your issue, please create a Case in Now Support using the following Subject: “Entrust Replacement”. Where can I get more detailed information? Refer to the full announcement from the Chrome Security Team and the Entrust TLS Certificate Information Center. We appreciate your attention to this important matter and are here to assist with any questions or concerns. Related Links[1] https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html [2] https://www.entrust.com/tls-certificate-information-center KB0563633 - SSL/TLS encryption on instances KB1709661 - MID server requirements to verify Digicert certificates