How to create a Schedule for Microsoft CA Certificate Authority or how to discover certs Microsoft CA Certificate more than 20k or how to discover large number of Microsoft CA Certificate? ?

Hi Thiyaju,

Getting while running Certificate Discovery.Please help here.

Can you please give me the screenshot of discovery schedule which you have created?

Can you please share the discovery schedule created screenshot and added pattern screenshot for the schedule?

Hi Abhishek,

check if you have correct credentials to the machine.
You can see that in pattern logs

Hi Abhishek

I have followed the same process for discovery of certificates from microsoft certificate authority, But i am facing with error

Error: Identification Engine: Discovery status is FAILURE, Required attribute fingerprint is missing for CI Type cmdb_ci_certificate

Could you please help on this 

Hi Andrzej 

I am getting the same error as you have shared above in a screen shot, so where(discovery_credentials) and which types of credentials(it windows or any other) we need to set up for this configuration

Thanks 
Shiva Reddy

hi Shivareddy,

    This issue is due to no certificates are discovered during discovery. If you need help please create CASE TASK so that You will get assistance.

Thanks,

Thiyagu

Hi Thiyagu

We are getting issue like even though I have increased the disco max log size property to 100000

Result is larger than 1000 characters and was truncated by the logger

Can you please advise

can we even reduce the pagination like 0-5000 and then 5000 -10000

my CA is discoverying is less then 20k but the payload returned in of 30 MB

and ServiceNow thrown an exception and unable to process

yes we can do it....

How. Can you please advise.

What setting we need to change 

I am trying to get this setup but having a difficult time. This tells me to select Serverless in the Discover field but the Docs tell me to select Certificates. I've tried both but still coming up with errors. Do you guys put in Credentials anywhere for this integration? Thanks!

this is serverless only. 

It uses windows credentials just like any other discovery. Check the discovery log and accordingly take an action.

I had to add the server as a proxy host as per this work instruction

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1096137

This is missing from all the documentation...

we got close to 75K certs in the CA. Every time I run the discovery , its pulling 2500 to 2800 unique certs but not all at once . Is there a specific reason . I am using 6 different patterns with 20K on limit on each as mentioned above 

This may due to root and intermediate certs are same....

and also check the status of the certificate.

Please check this Article: https://www.servicenow.com/community/itom-articles/certificate-list-count-mis-matches-during-certifi...

Thanks for your assistance @thiyagu_j  . I verified our CA server and validated that we got close 22K certificates in issued state . The request Id for the issued certs starts from 40010 to 62350. I created two serverless execution patterns . One from 40K to 60K and another from 60001 to 70000 as my request ID's would get discovered within this range. Both the patterns has proxy host defined with startoffset , templatelist and IP address as the parameters . 

On execution both the pattern logs are very different . The 60K pattern is atleast attempting to scan through the request ID's from 60001 as specified but the 40K pattern is different altogether . i have attached the screenshot of the pattern logs here and my executions just discovered 2700 certs out of the 20K certs that existed . Any inputs here would be great 

60K Pattern log 

40K pattern log

Hi Thiyagu,

I did similar to your setup but we are getting "Certificate table is empty , Pattern name: MicroSoft CA - Certificate Management, To Check Pattern Log Press Here "

Error message from Mid server log :

2023-09-20T14:45:25.759-0500 WARN (ExecutorThread:Worker-Standard:HorizontalDiscoveryProbe-6bff49df97953d502146bcbe2153af9a) [RemotePowerShellSession:400] Hostname null does not resolve to original IP
2023-09-20T14:45:25.852-0500 ERROR (Worker-Standard:HorizontalDiscoveryProbe-6bff49df97953d502146bcbe2153af9a) [APowerShellProvider:303] (112)APowerShellProvider - Error during execution of Windows command: executeCommand -Command 'certutil -restrict \"certificatetemplate=1.*.*.***.*.*.*.*\" -gmt -out NotAfter,NotBefore,SerialNumber,PublicKeyAlgorithm,SubjectKeyIdentifier,Organization,OrgUnit,CommonName,State,Locality,EMail,Country,DistinguishedName,certificatetemplate,CertificateHash,disposition,RequestAttributes -seconds -view csv' -TimeoutSec 1200
java.util.concurrent.ExecutionException: com.snc.automation_common.integration.exceptions.AuthenticationFailedException: Target is blacklisted. No valid credential found for type [Windows]

Any help is appreciated.

it seems like configuration is wrong. Can you please check the credentials?

@jay_rp can you please create TASK. SO that our team will debug and fix the issue.

@thiyagu_j  
I have followed the same process for discovery of certificates from Microsoft certificate authority, But i am getting error as 

Discovery status is FAILURE, Required attribute fingerprint is missing for CI Type cmdb_ci_certificate

could you please help me on this

@thiyagu_j 

I'm able to discover some certs but also receiving below error.

Discovery Log

2023-10-17 18:43:18: Task is running on MID server w12345678-support
2023-10-17 18:43:57: setAttribute(cmdb_ci_certificate,[{}])
2023-10-17 16:48:01: The mid log size is reached the max limit of field size - 4096000
Check Processing Success
2023-10-17 16:48:01: Identification Engine: Discovery status is FAILURE, Identification sections in pattern failed: section: MS CA ID, error: MID Server received a large response that exceed the allowed number of rows 2,000,000..

and 

Discovery log is too large and could not be saved. Log length: 21733502, Max length: 4096000.

Fixed the above error by limiting the number of certificates through set limit parameter to 2000. Need to create multiple patterns with each limiting the scope of discovery and it varies based on your certificate length. Ideally you can start with a lower number and find the appropriate limit for your environment 

@jay_rp 

Thank you for the response Jay,

Reduced each pattern to 2000 limit and able to discover most of the certs. 
I'm also getting '<error>Unable to process the payload with error message Request body exceeded max allowed content length
Contents of the original payload were moved to D:MIDServeragentworkmonitorsECCSenderoutput_errorecc_queue.087c432047a6f15451a34b09736d1a4b.page_1.xml on the MID server.</error>'

I increased the size of mid.eccq.max_payload_size it stopped error 'Payload size of 79672844 bytes exceeded maximum of 20000000 bytes.' but still getting above error.

Hello @thiyagu_j,

I am also facing an issue while discovering the certificates from MS CA.  Could you please suggest.

Hello, when I'm trying to discover the certificates I'm not getting results from the WMI commands:

2024-12-23 15:52:57: Executing WMI command on host: <CA-HOST-IP>, command: tasklist /SVC | findstr /I certsrv

2024-12-23 15:53:01: Command result:

2024-12-23 15:53:01: Execution time: 4432 ms

Debugging directly from the pattern, I tried simpler WMI commands like tasklist only or ipconfig but there's no result.
When I target another host, in the same network, same domain, same domain credentials, I got success.

Any idea about what can be causing the failure in the CA Host?

Thanks!