[Microsoft CA] Configure automated certificate management for TLS certificatesOverview This article guides you through configuring routing policies and the required credentials for Microsoft CA Automated certificate management in the Certificate Inventory and Management store app. Before you begin You should have the Certificate Inventory Management plugin activated.You should have the Windows MID Server set up correctly.Role required: pki_admin or admin. Note: To use the Microsoft Certificate Authority automated flow, you must install the ServiceNow IntegrationHub Action Step - PowerShell plugin and must have an Integration Hub subscription. See Integration Hub usage and subscription for more information. Step 1: Create Credentials This credential will be used to authenticate with the Certificate Authority (CA). A. Navigate to Credentials Go to Connection & Credentials > Credentials.Click New.Choose the appropriate type: Windows Credentials B. Fill in Credential Details Username & Password: Login credentials for MS CA Server or intermediate server (if using intermediate server). This user should have the PowerShell access and Microsoft Certification Authority console access to manage certificates. The intermediate server can be any Windows server that is in the same domain as the Microsoft CA Server and has access to certutil and certreq commands available on PowerShell. When an intermediate server is used, the MID Server executes a PowerShell script on the intermediate server using Invoke-Command, which in turn uses Remote Procedure Call (RPC) to run the certutil and certreq commands on the CA Server. Name: Provide the appropriate name for your credential. Step 2: Create Routing Policy This routing policy will be used to route the certificate requests to the right CA account. A. Navigate to Certificate Routing Policy Go to Certificate Management > Certificate Automate Flows > Certificate Routing PoliciesClick New. B. Fill in the routing policy details Certificate Authority: Choose Certificate Authority as 'Microsoft CA'.Name: Provide a name to your routing policy.CA Host IP: Give the IP of the CA Server in this field, OR the IP of an intermediate server if using an intermediate server.CA Template Name: You need to provide the name of the MSCA template to be used for generating certificates. Follow the steps below to get it from the MS CA server: Log in to your CA server.Open the Microsoft Certification Authority console.Navigate to your CA > Certificate Templates. This will open a list of Certificate templates with their descriptions.Copy the template name you intended to use. CA Name: You have to provide the CA name in this format <Host Name>.<Domain Name>\<CA Name>.To find the CA name, follow the steps below: Log in to your CA server.Open the Microsoft Certification Authority console.Navigate to your CA and copy the CA name. Assignment Group: Choose a group to which any manual task, like renewal tasks, etc, should be assigned related to the certificates requested through this routing policy.Maximum validity period: This takes the maximum allowed validity for the certificates in days. You can restrict the maximum allowed validity period using this field.Organization ID: This is only required for organization-validated certificate requests.Credential Alias: This should be the same with which you added credentials for Digicert in Step 1.Allow Duplicate Request: If enabled, duplicate requests with the same CSR are allowed.Approval Required & Task Approval Group: When requesting new certificates or renewing certificates, many PKI teams prefer human validation before fulfillment. If so, select the Approval required check box and select the group to which the task should be assigned for approvals.Mid Server: You can select a specific mid server to which all the requests matching this routing policy should go.The following fields are used to match the routing policy. Subject common name and Subject alternative name are supported with RegEx. The RegEx format has the following restrictions: It should not contain commas.It should not start and end with a forward slash (/). * matches any. Organization, Organizational Unit, Locality, State, Country, and Email are CSR attributes and accept comma-separated values. * will be considered as any.Environment: It is just metadata that can be used to route certificate requests to different CAs or CA's accounts.Certificate Purpose (internal/external): Similar to Environment, can be used to route certificate requests. Troubleshooting Guide Check mid server should be able to reach CA server/intermediate server.The following options may occur while requesting a certificate. OptionDescriptionIf a single routing policy matchesVerify the following conditions: Validate the subject common name using the RegEx pattern provided in the Routing Policy table, domain name, or *.Check for certificate request validity period not greater than the maximum validity period in the Routing Policy table.Check for the duplicate Certificate Request is allowed flag in the Routing Policy table. If multiple routing policies are eligibleThe task is assigned to the default approver group.If there is no routing policy foundThe task is assigned to the default approver group.If a single policy matches and the approval needed flag is trueThe task is assigned to the task approval group defined in the routing policy. Note: The default approval group can be set using the system property 'sn_disco_certmgmt.cert_task_default_approval_group' The approval group name is the default group used if the certificate request is moved into manual mode, for instance, when there is no matching policy or more than two matching policies. You can add more than one approval group, separated by commas. The first group on the list, which belongs to the task domain, is used for approval. If no domain-specific group is found, the first name in the global domain list is used as the default.