TLS Certificate Rotation Policy Update – FAQs & Best Practices<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Note: The information below is intended for readers in the internal support team and external customers. Table of Contents Q1. Why can't we continue with the current bi-annual rotation process?Q2. Why are hard-coding certificates discouraged?Q3. Can you guarantee certificates won't change suddenly?Q4. When does this change take effect?Q5. What support is available to help us transition?Q6. What happens if we don't change?Q7. Are other customers also impacted?Additional resources FAQs Q1. Why can't we continue with the current bi-annual rotation process? The maximum certificate validity is being reduced industry-wide, from 398 days to just 47 days by 2029.This means rotations will happen every 1–2 months, making the current manual/notification-based approach unsustainable. Q2. Why are hard-coding certificates discouraged? Hard-coded leaf certificates break integration whenever certificates are renewed or replaced.In case of emergency revocation (e.g., compromised cert), services may immediately fail.Best practice is to Trust all public CAs . If customers cannot do that (due to technical or policy restrictions), then at minimum they should trust the specific DigiCert CAs used by ServiceNow. For your convenience here are links to the DigiCert Trusted Root Authority Certificates. G2 Issuing CA certificate - new G2 Root certificate - new TLS v1.2 DigiCert Global G2 TLS RSA SHA256 2020 CA1 Download PEM Download DER/CRT DigiCert Global Root G2 (RSA) Download PEM Download DER/CRT TLS v1.3 DigiCert Global G3 TLS ECC SHA384 2020 CA1 Download PEM Download DER/CRT DigiCert Global Root G3 (ECC) Download PEM Download DER/CRT Q3. Can you guarantee certificates won't change suddenly? No. Certificates may need to be replaced unexpectedly due to compromise, compliance, or CA policy changes.Customers must configure flexible trust to avoid service disruptions. Q4. When does this change take effect? Starting March 15, 2026, with progressive reductions until March 2029.After 2029, certificates will only last 47 days. Certificate issued on or afterCertificate issued beforeMaximum Validity Period March 15, 2026398 daysMarch 15, 2026March 15, 2027200 daysMarch 15, 2027March 15, 2029100 daysMarch 15, 2029 47 days Q5. What is ServiceNow's compliance timeline? ServiceNow plans to stop sending leaf-certificate notifications by February 2026. Customer migration is targeted for completion by 30 September 2026, ensuring all accounts are transitioned before the 100-day industry change in March 2027. This timeline reduces risk and avoids disruption. Q6. What support is available to help us transition? Guidance documents and best practices will be shared.For urgent queries, please refer Customer Support - Contact Us - Support and Troubleshooting Q7. What happens if we don't change? Your services may face recurring outages when certificates are rotated.Operational teams will not be able to guarantee availability for customers who continue to hard-code certificates. Q8. Are other customers also impacted? Yes, ~130 customers have been identified with potential hard-coding practices.The change is universal, industry-mandated, and not limited to your organization. Additional resources Certificate Authority/Browser Forum SC-081 - Ballot SC081v3: Schedule of Reducing Validity and Data Reuse PeriodsGitHub CA/B Forum - 6.3.2 Certificate operational periods and key pair usage periodsKB1702083 – DigiCert Root & Issuing Certificates] Revision Log... (Last updated: 12-Sep-2025) VersionPublishedSummary of Changes1.018-SEP-2025Initial version2.023-SEP-2025updated the KB to remove any duplicates