SSL Certificate Information

From ServiceNow Wiki
Home > Administer > Security > SSL Certificate Information
Jump to: navigation, search


1 Overview

Protecting the security and privacy of our customers is among our top priorities, so ServiceNow utilizes SSL/TLS to encrypt communications for all customer instances. In order to continue to provide best-in-class protection, we are upgrading our SSL/TLS encryption.

We are making this change because SSL certificates signed with the SHA1 algorithm have been known for some time to contain security weakness that could lead to the unintentional disclosure of sensitive information if compromised. An industry-wide effort (led by Google, Microsoft, and others) is forcing the timeframe for sun-setting the use of this older technology.

In addition to the technical change, ServiceNow will be leveraging this opportunity to increase the frequency at which we rotate SSL certificates. A shorter lifespan for SSL certificates reduces our exposure window and also gives us greater flexibility to deal with unforeseen security issues. Since so many recent headlines have featured exposures in the SSL protocol and the surrounding technologies (Heartbleed, POODLE, root CA compromises, unauthorized disclosures) ServiceNow views this as a necessary step in order to stay ahead of current and future threats.

2 Changes to SSL Certificates

The following changes will occur when we upgrade our SSL/TLS encryption:

  • The SSL certificate used by ServiceNow, https://*.service-now.com, will be upgraded to a “SHA-2” certificate beginning in October 2015. This change will be phased in across datacenters. As a lead up to this change, ServiceNow previously provided an interim SHA-1 SSL certificate that expires in December 2015. The interim certificate gave customers additional time to plan for the transition.
  • ServiceNow will increase the cadence at which our SSL certificate is rotated (currently 2 years), and will no longer notify customers for routine changes. This is an industry best practice, enables ServiceNow to provide improved security for our customers, and allows us to react more quickly to the changing threat landscape. A routine change includes, but is not limited to, any change not materially affecting the technical nature or performance of the certificate. Examples are:
    • replacing the certificate with a new expiration date
    • revoking outdated certificates
    • adding a feature such as an additional server name or supported ciphersuite
(Note that events which may trigger a notification include, but are not limited to, a change in Root CA providers or disabling a feature or supported algorithm.)
  • ServiceNow will no longer provide advance copies of our SSL certificate to customers. Customers should trust the Root Certificate provided by our certificate vendor, Entrust.

A small number of users may be affected by the change to a new certificate and rotation process. ServiceNow is making every effort to identify and work with customers who have been affected by this type of change in the past. We will continue to provide information and tools to assist with this transition.

2.1 Determining If Your Instance is Affected by This Change

All customers utilizing the ServiceNow web application will use the new SSL certificate, but for the most part, this will be a transparent change.

The only customers likely to require manual intervention are those who have integrations, caching, or proxy servers that use a hard-coded ServiceNow SSL certificate.

  • Some inbound integrations (services connecting to your ServiceNow instance) may have the current SSL certificate hard-coded. You can view integrations that may be affected on the List of Available Integrations. Contact the service owner of any integration that connects to your ServiceNow instance to verify that it will properly handle the SSL certificate change.
  • If you access your ServiceNow instance using a URL similar to https://<instance>.service-now.com/, you are likely not affected. If you access your ServiceNow instance by a different URL, you most likely access the instance through a proxy. Please contact your IT department or network administrator to verify that the proxy can handle the SSL certificate change properly.

Normal web browsers like Internet Explorer, Firefox, Chrome, or Safari are not affected.

2.2 Preparing for SSL Certificate Upgrade

  • Use updated web browsers and maintain software patch levels.
  • Read the information provided by ServiceNow and communicate this change to any members of your organization who could be affected.
  • Use the SSL Certificate Testing procedures provided by ServiceNow. For an in-depth test plan, please see SSL Certificate Testing.
  • Use the SHA-2 SSL certificate anchored to the Entrust (our 3rd party Certificate Authority) G2 Root. SSL certificate information and all parts of the SSL certificate chain (such as metadata names and spelling, subject alternative names, wildcards, and root CA providers and types) can change. ServiceNow recommends not hardcoding the ServiceNow certificate. Hardcoded certificates will likely cause interrupted access during a certificate change.

2.3 Receiving Notifications About Changes to the Root CA

ServiceNow uses Entrust as our 3rd party Certificate Authority (CA). The *.service-now.com SHA-2 SSL certificate is anchored to the Entrust G2 Root that expires December 7, 2030. Entrust has indicated that there are no planned changes to the root hierarchy and if one does occur, ample notice will be provided before any changes are made that could impact the validity of the Root CA.

2.4 Obtaining Help for SSL Certificate Changes

If you believe there is a problem with the SSL certificate change, please contact ServiceNow Customer Support.

3 SSL Certificates

If you have determined that your instance is impacted by the SSL certificate change, use this certificate information to resolve any issues.

3.1 Root CA Certificate post October 2015

Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2
Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2

Note that the *.service-now.com SSL certificate and associated Entrust chain certificates are subject to change and not provided here. If you need more information, please contact ServiceNow Technical Support.

3.2 Certificate Archive

The rest of these certificates are for historical purposes only.

Was this article helpful?
Yes, I found what I needed
No, I need more assistance
Personal tools