Microsoft CA Certificate Discovery – Few or No Certificates Discovered<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; } :root { --infinite-blue: #032D42; --wasabi-green: #63DF4E; --bright-blue: #52B8FF; --bright-indigo: #7661FF; --bright-purple: #BF71F2; --header-bg: var(--infinite-blue); --accent: var(--wasabi-green); --accent-light: #e8fce4; --border: #d0dbe0; --text-primary: #0d1f2b; --text-secondary: #3d5a6a; --bg-page: #f2f5f7; --bg-card: #ffffff; --warn-bg: #fff4e0; --warn-border: #e6a817; --note-bg: #e6f4ff; --note-border: var(--bright-blue); --tag-bg: #e8fce4; --tag-color: #032D42; --radius: 6px; } body { font-family: 'Lato', sans-serif; font-size: 15px; line-height: 1.7; color: var(--text-primary); background: var(--bg-page); padding: 40px 20px 80px; } .kb-wrapper { max-width: 860px; margin: 0 auto; } /* ── Plain title ── */ .kb-title { font-size: 18px; font-weight: 900; color: var(--infinite-blue); margin-bottom: 20px; } /* ── Body ── */ .kb-body { background: var(--bg-card); border: 1px solid var(--border); border-radius: var(--radius); padding: 36px 36px 40px; } .section { margin-bottom: 34px; } .section:last-child { margin-bottom: 0; } h2.section-title { font-size: 16px; font-weight: 900; color: var(--infinite-blue); margin-bottom: 14px; padding-bottom: 8px; border-bottom: 2px solid var(--accent-light); } p { margin-bottom: 12px; color: var(--text-primary); } p:last-child { margin-bottom: 0; } ul, ol { padding-left: 22px; margin-bottom: 12px; } li { margin-bottom: 6px; } li:last-child { margin-bottom: 0; } /* ── Inline code ── */ code { font-family: 'Courier New', Courier, monospace; font-size: 13px; background: #e6f0f5; color: #032D42; padding: 1px 6px; border-radius: 3px; border: 1px solid #b8cfd8; } /* ── Code block ── */ pre { font-family: 'Courier New', Courier, monospace; font-size: 13px; background: #032D42; color: #63DF4E; padding: 14px 18px; border-radius: var(--radius); margin: 12px 0; overflow-x: auto; line-height: 1.8; } /* ── Callouts ── */ .callout { border-left: 4px solid var(--note-border); background: var(--note-bg); border-radius: 0 var(--radius) var(--radius) 0; padding: 13px 16px; margin: 16px 0; font-size: 14px; } .callout.warn { border-left-color: var(--warn-border); background: var(--warn-bg); } .callout strong { display: block; margin-bottom: 4px; font-weight: 700; } /* ── Example table ── */ .example-table { width: 100%; border-collapse: collapse; margin: 16px 0; font-size: 14px; } .example-table thead tr { background: var(--infinite-blue); color: #fff; } .example-table thead th { padding: 10px 14px; text-align: left; font-weight: 700; letter-spacing: .02em; } .example-table tbody tr:nth-child(even) { background: var(--accent-light); } .example-table tbody td { padding: 10px 14px; border-bottom: 1px solid var(--border); vertical-align: top; } /* ── Steps ── */ .steps-list { list-style: none; padding-left: 0; counter-reset: steps; } .steps-list li { counter-increment: steps; display: flex; gap: 14px; align-items: flex-start; margin-bottom: 14px; } .steps-list li::before { content: counter(steps); flex-shrink: 0; width: 26px; height: 26px; background: var(--infinite-blue); color: var(--wasabi-green); border-radius: 50%; font-size: 12px; font-weight: 900; display: flex; align-items: center; justify-content: center; margin-top: 2px; } /* ── Related chips ── */ .related-list { list-style: none; padding-left: 0; display: flex; flex-direction: column; gap: 8px; } .related-list li { background: var(--tag-bg); color: var(--tag-color); border: 1px solid #a8dfa0; border-radius: var(--radius); padding: 8px 14px; font-size: 13.5px; font-weight: 700; margin-bottom: 0; } .related-list li span { font-weight: 400; color: var(--text-secondary); margin-left: 6px; } .related-list li a { color: #032D42; text-decoration: none; font-weight: 400; word-break: break-all; } .related-list li a:hover { text-decoration: underline; color: #0057a8; } /* ── Footer ── */ .kb-footer { margin-top: 20px; font-size: 12px; color: #6a8a9a; text-align: center; line-height: 1.6; } hr.section-divider { border: none; border-top: 1px solid var(--border); margin: 30px 0; } *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; } :root { --infinite-blue: #032D42; --wasabi-green: #63DF4E; --bright-blue: #52B8FF; --bright-indigo: #7661FF; --bright-purple: #BF71F2; --header-bg: var(--infinite-blue); --accent: var(--wasabi-green); --accent-light: #e8fce4; --border: #d0dbe0; --text-primary: #0d1f2b; --text-secondary: #3d5a6a; --bg-page: #f2f5f7; --bg-card: #ffffff; --warn-bg: #fff4e0; --warn-border: #e6a817; --note-bg: #e6f4ff; --note-border: var(--bright-blue); --tag-bg: #e8fce4; --tag-color: #032D42; --radius: 6px; } body { font-family: 'Lato', sans-serif; font-size: 15px; line-height: 1.7; color: var(--text-primary); background: var(--bg-page); padding: 40px 20px 80px; } .kb-wrapper { max-width: 860px; margin: 0 auto; } /* ── Plain title ── */ .kb-title { font-size: 18px; font-weight: 900; color: var(--infinite-blue); margin-bottom: 20px; } /* ── Body ── */ .kb-body { background: var(--bg-card); border: 1px solid var(--border); border-radius: var(--radius); padding: 36px 36px 40px; } .section { margin-bottom: 34px; } .section:last-child { margin-bottom: 0; } h2.section-title { font-size: 16px; font-weight: 900; color: var(--infinite-blue); margin-bottom: 14px; padding-bottom: 8px; border-bottom: 2px solid var(--accent-light); } p { margin-bottom: 12px; color: var(--text-primary); } p:last-child { margin-bottom: 0; } ul, ol { padding-left: 22px; margin-bottom: 12px; } li { margin-bottom: 6px; } li:last-child { margin-bottom: 0; } /* ── Inline code ── */ code { font-family: 'Courier New', Courier, monospace; font-size: 13px; background: #e6f0f5; color: #032D42; padding: 1px 6px; border-radius: 3px; border: 1px solid #b8cfd8; } /* ── Code block ── */ pre { font-family: 'Courier New', Courier, monospace; font-size: 13px; background: #032D42; color: #63DF4E; padding: 14px 18px; border-radius: var(--radius); margin: 12px 0; overflow-x: auto; line-height: 1.8; } /* ── Callouts ── */ .callout { border-left: 4px solid var(--note-border); background: var(--note-bg); border-radius: 0 var(--radius) var(--radius) 0; padding: 13px 16px; margin: 16px 0; font-size: 14px; } .callout.warn { border-left-color: var(--warn-border); background: var(--warn-bg); } .callout strong { display: block; margin-bottom: 4px; font-weight: 700; } /* ── Example table ── */ .example-table { width: 100%; border-collapse: collapse; margin: 16px 0; font-size: 14px; } .example-table thead tr { background: var(--infinite-blue); color: #fff; } .example-table thead th { padding: 10px 14px; text-align: left; font-weight: 700; letter-spacing: .02em; } .example-table tbody tr:nth-child(even) { background: var(--accent-light); } .example-table tbody td { padding: 10px 14px; border-bottom: 1px solid var(--border); vertical-align: top; } /* ── Steps ── */ .steps-list { list-style: none; padding-left: 0; counter-reset: steps; } .steps-list li { counter-increment: steps; display: flex; gap: 14px; align-items: flex-start; margin-bottom: 14px; } .steps-list li::before { content: counter(steps); flex-shrink: 0; width: 26px; height: 26px; background: var(--infinite-blue); color: var(--wasabi-green); border-radius: 50%; font-size: 12px; font-weight: 900; display: flex; align-items: center; justify-content: center; margin-top: 2px; } /* ── Related chips ── */ .related-list { list-style: none; padding-left: 0; display: flex; flex-direction: column; gap: 8px; } .related-list li { background: var(--tag-bg); color: var(--tag-color); border: 1px solid #a8dfa0; border-radius: var(--radius); padding: 8px 14px; font-size: 13.5px; font-weight: 700; margin-bottom: 0; } .related-list li span { font-weight: 400; color: var(--text-secondary); margin-left: 6px; } .related-list li a { color: #032D42; text-decoration: none; font-weight: 400; word-break: break-all; } .related-list li a:hover { text-decoration: underline; color: #0057a8; } /* ── Footer ── */ .kb-footer { margin-top: 20px; font-size: 12px; color: #6a8a9a; text-align: center; line-height: 1.6; } hr.section-divider { border: none; border-top: 1px solid var(--border); margin: 30px 0; } Issue Microsoft Certificate Authority (CA) certificate Discovery is not discovering certificates on CA servers where issued certificates have been confirmed. The Discovery pattern completes without errors but returns few or no Certificate CIs. Symptoms template_list is set to all in the Discovery Pattern Launcher Parameters.start_offset is set to 1.limit is set to 20000.The Discovery pattern completes without errors.Few or no Certificate CIs are created despite more issued certificates being confirmed on the CA server. Facts The Microsoft Certificate Authority (CA) Certificates pattern is a Serverless Execution Pattern.When template_list is set to all, the pattern uses the certutil command to retrieve issued certificates from the CA using a RequestID range query.start_offset specifies the RequestID number of the certificate from which to start.limit specifies how many certificates to discover. Its value is used to calculate the upper bound of the requestID < part of the certutil query. How the certutil Query Range Is Constructed The pattern builds the certutil restrict query as follows: -restrict requestID > [start_offset], requestID < [start_offset + limit] Examples start_offsetlimitcertutil Query Generated120000-restrict requestID > 1, requestID < 200002000120000-restrict requestID > 20001, requestID < 40000130000-restrict requestID > 1, requestID < 30000 Cause The issued certificates on the CA server have RequestIDs in ranges above 20,000. The configured parameters (start_offset = 1, limit = 20000) produce a certutil query that only covers RequestIDs 1 through 20,000. Because this range does not overlap with where the active certificate records reside, the query returns no results. Important The Discovery pattern does not automatically detect the RequestID range of issued certificates. If start_offset and limit are not configured to cover the range where active certificates exist, the pattern will complete successfully but return no CIs. Solution For CA deployments with more than 20,000 issued certificates, create multiple Serverless Execution Pattern instances — one per RequestID range — so that all active certificates are covered across the full span of RequestIDs. Recommended Configuration for Large CA Deployments Pattern Instancestart_offsetlimitCovers RequestIDsInstance 11200001 – 20,000Instance 2200012000020,001 – 40,000Instance 3400012000040,001 – 60,000Instance 4600012000060,001 – 80,000 Tip Extend the pattern instances as needed to cover the full RequestID range of your CA. Add additional instances in increments of 20,000 (or your configured limit value) until the highest known RequestID is included in a range. Steps to Resolve Identify the RequestID range of issued certificates. On the CA server, run certutil -view or use the Certification Authority MMC snap-in to determine the lowest and highest RequestIDs of the issued certificates. Calculate the number of pattern instances required. Divide the highest RequestID by your limit value (e.g., 20,000) and round up to determine how many instances are needed to cover the full range. Create a Serverless Execution Pattern instance for each range. Duplicate the existing Microsoft Certificate Authority (CA) Certificates pattern and set start_offset incrementally for each instance: 1, 20001, 40001, 60001, and so on. Verify template_list is set to all on each pattern instance to ensure all certificate templates are included in the query. Run Discovery and validate results. Execute each pattern instance and confirm that Certificate CIs are created for the expected RequestID ranges. Review Discovery logs to verify no errors are present. Related Links https://www.servicenow.com/docs/r/it-operations-management/discovery-and-service-mapping-patterns/microsoft-ca-discovery.htmlhttps://www.servicenow.com/docs/r/it-operations-management/discovery-and-service-mapping-patterns/create-serverless-schedule-ms-ca.html KB Article: Microsoft CA Certificate Discovery – Certificates Not Discovered | Discovery / Certificate Management | All ServiceNow Versions