Thanks for the follow-up @JackieZhang  — let’s troubleshoot this precisely. If ServiceNow is still rejecting the private key with a “not PEM” error, even after using the openssl pkcs8 conversion, here are the most likely causes and how to fix them

1. Check the Output Format

Ensure the converted file (saml_pkcs8.key) starts and ends with exactly

-----BEGIN PRIVATE KEY-----
(base64 content)
-----END PRIVATE KEY-----

If it says -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----, it’s not the correct format

2. Use This Exact OpenSSL Command

openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.key -out saml_pkcs8.key -nocrypt

Important:

• -nocrypt ensures the key is not encrypted — ServiceNow does not support encrypted private keys.
• -topk8 converts from PKCS#1 to PKCS#8.

3. Verify the File Encoding

Sometimes the file gets saved with incorrect encoding (e.g., UTF-16 or with BOM). Make sure:

• The file is saved as UTF-8 without BOM.
• No extra spaces, tabs, or line breaks are added before or after the key.

Use a plain text editor like Notepad++ or VS Code and check the encoding.

4. Validate the Key Format

You can run this to check the key:

openssl pkcs8 -in saml_pkcs8.key -inform PEM -noout -text

If it throws an error, the key is malformed.

5. Paste Carefully into ServiceNow

When pasting into Multi-Provider SSO → Certificates → Private Key:

• Paste only the key content.
• Do not include any extra characters or metadata.
• Make sure the field is set to type Private Key, not Certificate

If it is helpful, please hit the thumbs button please mark the answer as correct based on the impact!!

Kind Regards,

Shaik Mohammed Mustaq

And I found there is no different before I used cmd openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.key -out saml_pkcs8.key -nocrypt and after

If there’s no difference between the original saml.key and the converted saml_pkcs8.key, then your original key is probably already in PKCS#8 format, meaning the conversion command doesn’t change anything.

But here’s the catch: even if the format is correct, ServiceNow might still reject it due to encoding, header mismatch, or invisible characters.

Check header and footer Open both files in a plain text editor and confirm

-----BEGIN PRIVATE KEY-----
(base64 content)
-----END PRIVATE KEY-----

• -----BEGIN RSA PRIVATE KEY-----
  → PKCS#1 format
  • -----BEGIN ENCRYPTED PRIVATE KEY----- → Encrypted, not accepted
  • -----BEGIN EC PRIVATE KEY----- → Elliptic Curve, not supported by all IdPs

  If your original key already says BEGIN PRIVATE KEY, it’s PKCS#8 — but still check the encoding.

Run this to confirm it’s a valid PKCS#8 key

openssl pkcs8 -in saml.key -inform PEM -noout -text

If it works without error, the key is valid. If it fails, the key is malformed or not PKCS#8.

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

Header is correct but Servicenow was not accept.  Then I found an another way to transform it  to pkcs12, then servicenow can accept it . but I don't know if it worked.