Infrastructure Enhancement: TLS 1.3 and ECDSA Certificate Support - Support and Troubleshooting

Infrastructure Enhancement: TLS 1.3 and ECDSA Certificate Support .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Upcoming Infrastructure Enhancement: TLS 1.3 and ECDSA Certificate Support At a Glance

What:

ServiceNow is adding TLS 1.3 and ECDSA certificate support to all customer-facing endpoints.

When:

June/July 2026

Impact:

No customer action is required in the vast majority of cases. TLS 1.2 and RSA certificates will continue to be fully supported.

Who is affected:

Customers using integrations or clients that do not support TLS 1.3 or ECDSA should verify compatibility. See FAQ below.

What Is Changing ServiceNow will begin offering TLS 1.3 connections and serving ECDSA (Elliptic Curve Digital Signature Algorithm) certificates alongside the existing TLS 1.2 and RSA certificate infrastructure on customer-facing endpoints. This is an additive change; existing protocol versions and certificate types will remain available and fully functional.

Clients that support TLS 1.3 will automatically negotiate the newer protocol during the TLS handshake. Clients that only support TLS 1.2 will continue to connect exactly as they do today with no degradation in service. Similarly, clients capable of validating ECDSA certificates will receive an ECDSA certificate, while those that require RSA will continue to receive an RSA certificate.

Why We Are Making This Change These enhancements are part of ServiceNow’s ongoing commitment to providing industry-leading security and performance for our customers. TLS 1.3 and ECDSA certificates each offer meaningful improvements over their predecessors.

TLS 1.3 Overview TLS 1.3 is the latest version of the Transport Layer Security protocol, finalized by the IETF in RFC 8446 (August 2018). Compared to TLS 1.2, it offers several key improvements:

Stronger security defaults. TLS 1.3 removes support for older, weaker cryptographic algorithms (such as RC4, 3DES, and static RSA key exchange) that were still permitted in TLS 1.2. All cipher suites in TLS 1.3 provide forward secrecy by default, meaning that even if a server’s private key is compromised in the future, previously captured traffic cannot be decrypted.

Faster handshake. TLS 1.3 reduces the handshake from two round trips to one, which lowers connection latency. Returning clients can use a zero-round-trip (0-RTT) resumption mode for even faster reconnections.

Simplified protocol design. TLS 1.3 significantly reduces the number of configurable options and cipher suite combinations, making it harder to misconfigure and easier to audit. The handshake itself encrypts more of the negotiation, reducing the amount of metadata visible to network observers.

ECDSA Certificate Overview ECDSA (Elliptic Curve Digital Signature Algorithm) certificates use elliptic curve cryptography rather than the traditional RSA algorithm for digital signatures. They offer several advantages over RSA certificates:

Equivalent security with smaller keys. A 256-bit ECDSA key provides comparable cryptographic strength to a 3072-bit RSA key. Smaller keys translate to smaller certificates, faster signature generation and verification, and reduced computational overhead on both the server and the client.

Improved TLS performance. Because ECDSA signatures and public keys are significantly smaller than their RSA equivalents, the TLS handshake transmits less data. This results in lower latency during connection establishment, particularly on high-volume or resource-constrained environments.

Industry alignment. ECDSA is broadly adopted across major cloud providers, browsers, and industry frameworks. Supporting ECDSA certificates ensures ServiceNow remains aligned with current best practices and compliance standards.

Frequently Asked Questions Do I need to take any action?

For the vast majority of customers, no action is required. Modern browsers, operating systems, and HTTP client libraries already support both TLS 1.3 and ECDSA certificates. Your existing integrations and user access will continue to work without modification.

Will TLS 1.2 stop working?

No. ServiceNow will continue to support TLS 1.2 on all customer-facing endpoints. This change adds TLS 1.3 as an additional option; it does not remove or disable TLS 1.2 support.

Will RSA certificates stop working?

No. ServiceNow will continue to serve RSA certificates for clients that do not support ECDSA. The server will select the appropriate certificate type based on what the connecting client advertises during the TLS handshake.

How does the server decide whether to use TLS 1.3 or TLS 1.2?

During the TLS handshake, the client and server negotiate the highest protocol version they both support. If the client supports TLS 1.3, it will be used. If the client only supports TLS 1.2 (or earlier negotiated versions), TLS 1.2 will be used. This negotiation is automatic and requires no configuration on the client side.

How does the server decide whether to use an ECDSA or RSA certificate?

The server examines the client’s supported signature algorithms and cipher suites during the TLS handshake. If the client supports ECDSA, the server will prefer the ECDSA certificate. If the client does not indicate ECDSA support, the server will present an RSA certificate. This selection is transparent to the end user.

What if I have a custom integration or API client that may not support TLS 1.3 or ECDSA?

If your integration uses a modern TLS library (such as OpenSSL 1.1.1 or later, Java 11 or later, or .NET Framework 4.7 or later), it already supports both TLS 1.3 and ECDSA. If you are running an older client or a custom TLS configuration that restricts protocol versions or signature algorithms, you should verify that TLS 1.2 and RSA remain enabled in your configuration. Since ServiceNow will continue to support both, no changes are needed unless your client explicitly blocks the handshake fallback.

Could this change cause any certificate validation errors?

If your client or integration pins specific certificates or enforces an allowlist of certificate authorities, you should verify that your trust store includes the certificate authorities used by ServiceNow for ECDSA certificates. Customers using standard public trust stores (for example, the default trust stores shipped with major operating systems and browsers) will not experience any issues.

Will this change affect the MID Server?

MID Servers running on a supported Java version (Java 11 or later) already support TLS 1.3 and ECDSA. If your MID Servers are on a current supported version, no action is needed. If you are running MID Servers on an older or unsupported Java runtime, we recommend upgrading to a supported version as part of your regular maintenance cycle.

When will this change take effect?

The target rollout date has not yet been finalized. ServiceNow will provide advance notice through this Knowledge Base article and standard customer communication channels before the change is enabled. This article will be updated with specific dates as they become available.

I previously requested a custom TLS configuration that includes TLS 1.3. How does this change affect me?

Some customers have already worked with ServiceNow to enable TLS 1.3 through a custom TLS configuration on their instance. With this platform-wide rollout, TLS 1.3 will become available by default on all customer-facing endpoints. If you already have a custom configuration in place, your instance will continue to function as expected. After the rollout is complete, TLS 1.3 support will no longer require a custom configuration request, as it will be part of the standard platform offering. No action is required on your part.

Who should I contact if I have questions or concerns?

If you have questions about this change or need assistance verifying your integration compatibility, please contact ServiceNow Support through the Now Support portal (https://support.servicenow.com) or reach out to your designated Technical Account Manager.

Additional Resources IETF RFC 8446 — The Transport Layer Security (TLS) Protocol Version 1.3: https://datatracker.ietf.org/doc/html/rfc8446

NIST SP 800-52 Rev. 2 — Guidelines for TLS Implementations: https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final

ServiceNow Platform Security Documentation: https://docs.servicenow.com