Certificate discovery for Sectigo – Pattern failed

Pooja Chugwani
ServiceNow Employee
ServiceNow Employee

on ‎03-08-2021 10:10 AM

If Certificate discovery of Sectigo CA is failing, it could be because of one of the following issues.

1. Incorrect Credential – Open the pattern logs from discovery logs. Check the output of step 5 "Get Certificate List". If it is empty that means either credential alias/ credentials are not correct or there is some issue with API Url. Verify that the credential alias passed to the pattern is associated with the correct credential. To debug further- 

  •  Do a simple curl command to Sectigo API to verify credentials

$ curl 'https://cert-manager.com/api/ssl/v1' -i -X GET \
-H 'login: xxxxxxx' \
-H 'Content-Type: application/json' \
-H 'customerUri: xxxxxx' \
-H 'password: xxxxxx'

If the above API call returns HTTP status 200, that means there isn't any issue with credential or url.

If it returns HTTP status 401 and {"code":-16,"description":"Unknown user"} that imples issue with credential. Please check your credential.

2. Incorrect API endpoint – We followed this Sectigo documentation for all the API endpoint, but Sectigo advised one of the customers to use "http://hard.cert-manager.com" API endpoint.

Do a simple curl command to sectigo API
$ curl 'https://hard.cert-manager.com/api/ssl/v1' -i -X GET \
-H 'login: xxxxxxx' \
-H 'Content-Type: application/json' \
-H 'customerUri: xxxxxx' \
-H 'password: xxxxxx'

If it returns HTTP status code 200, then update the API URL in the pattern.

  • Navigate to Discovery Patterns in Instance. Search for "Sectigo - Certificate Management".
  • Open the pattern in the pattern designer.
  • Update the API URL in 2nd step to "https://hard.cert-manager.com/api/ssl/" + $API_version
  • Save the pattern. Publish it.
  • Navigate to Discovery-> Mid server. Select "Pattern Sync to Mid.

 

3. Exclude Revoked Certificates - For fetching each certificate detail, pattern makes an API call to get PEM file of certificate. Once PEM file is received, we extract all the details like fingerprint, subject-common-name, serial number etc. from the PEM file and store each record in cmdb_ci_certificate table. However, Sectigo API does not return PEM file for revoked certificates. Hence, we need to exclude Revoked from the default certificate status list

  • Navigate to Mid Server -> script include.
  • Select SSlCertificateUtil. Update line 327 from

var discoverCertStatus = ['Issued', 'Expired', 'Revoked'];

to this

var discoverCertStatus = ['Issued', 'Expired'];

  • Save it. Run discovery again.

There is a PRB created for fixing this revoked certificate issue. It will be fixed in Certificate Management V4.

Labels:
  • 1,505 Views
Comments
Marcio Olivieri
Tera Expert
‎12-13-2022 02:59 PM

Hi there.

I'm trying to discover our Sectigo certificates, and apparently Sectigo require us to provide "customerUri" value. I can't see that option in the Discovery Pattern. Any clues about that?

If we try to follow this guide, that displays "Customer URI" value, thenwe get stuck (under Sectigo section) to fill the "Authentication Key" and "Password" values. Any clues? Thank you!

MarcioOlivieri_0-1670972252109.png

 

0 Helpfuls
Version history
Last update:
‎03-08-2021 10:10 AM
Updated by:
ServiceNow Employee