Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Implementing Certificate Inventory Management (CIM) in ServiceNow: Key Insights and Challenges

Swapna Abburi
Mega Sage
Mega Sage

3 weeks ago

In this article, I share my experience configuring the Certificate Inventory Management (CIM) module in ServiceNow, the challenges faced during discovery, and practical approaches that worked. If you’re planning to implement CIM, these insights will help you anticipate potential hurdles and plan effectively.

 

What is CIM and Why It Matters?

CIM, part of the ITOM suite, helps organizations manage the inventory and lifecycle of TLS/SSL certificates. Expired certificates often lead to unexpected outages, and manual tracking is both time-consuming and error prone. CIM provides:

 

  • Real-time visibility into certificates nearing expiry
  • Automated renewal workflows to prevent downtime
  • Centralized inventory management for TLS/SSL certificates

Key Considerations

To establish a complete CIM process, we need to ingest the existing certificate inventory to ServiceNow with all the required details and relationship.

  1. Certificate Discovery

    • Identify existing certificates, their validity, and hosting locations (servers or network devices).
      Ensure certificates have valid relationships with Configuration Items (CIs) for ownership and support details.

  2. Impact Analysis

    • Understand which applications depend on each certificate.
    • Maintain service modeling in CMDB for accurate dependency mapping.

 

There were several approaches to discover certificates.

 

SwapnaAbburi_1-1763927481846.png

 

We started with Port scan approach by enabling TLS/SSL port probe which automatically started to capture TLS certificates in the next horizontal discovery schedules.

SwapnaAbburi_0-1763926635896.png

 

Certificates discovered were stored in the Unique Certificate "cmdb_ci_certificate" table, with relationships to hosting CIs maintained in CMDB. The relationship information is stored in "cmdb_rel_ci" table with Used by::Uses type of relation.

 

Challenges Faced During Discovery

  1. Incomplete Discovery

    • Some certificates were missing compared to local inventory.
    • Common errors included:
      • SSLHandshakeException: Non-compatible TLS protocol (e.g., TLS10 vs TLS12)
      • IOException: Connection forcibly closed
      • SSLException: Unrecognized SSL message

    We have to spent time analyzing ECC queue logs for root causes. 

  2. CI Discovery Issues

    • In some cases, CIs themselves were not discovered, hence no certificates were captured.

So, we were not able to achieve 100% discovery with this approach.

 

Below Alternate Methods were tried:

  • URL Scan: Added certificate URLs to cmdb_ci_endpoint_http table, but results were inconsistent in this approach too.
  • Microsoft CA Authority Integration: Discovered certificates but lacked CI relationships.

Final Strategy

We adopted a hybrid approach:

  • Automated Discovery where possible
  • Manual Import for missing certificates
  • Updated ownership details of certificate based on related CIs or service owners. if no CI relationship exists, ownership information is maintained manually.

 

Conclusion
I hope these insights and challenges help those planning to implement Certificate Inventory Management (CIM) in ServiceNow. Understanding these details upfront will allow you to assess potential roadblocks and design a more effective implementation strategy.

 

Feel free to share your experiences, lessons learned, or success stories with CIM in the comments. I would love to hear how others approached this journey!

  • 451 Views
Comments
Dennis Trabandt
Tera Explorer
3 weeks ago

Hi,

thanks for sharing your article — I’m currently working on the same topic, so this was genuinely interesting to read. I do have two pieces of feedback:

 

1. Visualization of the discovery approaches
The graphic comparing the different discovery methods is difficult to interpret in its current form. The internal ServiceNow discovery process visually dominates roughly two-thirds of the space, which unintentionally shifts the focus away from the actual comparison of the approaches. A more balanced layout, with clearer emphasis on the discovery variants themselves, would make the message clearer and easier to grasp.

 

2. Missing KPIs and measurable outcomes
In the section describing your final approach, I was expecting some concrete metrics. For example:

  • How significant was the overall improvement?
  • How many certificates still fail after the changes?
  • What turned out to be the primary driver of the issues you encountered?

Adding these numbers would provide valuable context for readers who are trying to evaluate or replicate the approach.

 

Cheers,
Dennis

0 Helpfuls
Swapna Abburi
Mega Sage
Mega Sage
a week ago

Hi @Dennis Trabandt 

Thank you for your response. Regarding several approaches available for TLS certificate discovery, ServiceNow documents and Learning university has details about how to configure each method. I will also share detailed explanation about each method and differences shortly.

 

Secondly, we started with the goal of ensuring the certificates are renewed on time with automated reminder notifications to owners. unfortunately, with these challenges that I mentioned in my article and CMDB data dependencies, it was not achievable with 100% automation. So, we had to plan automation + manual approach. We are still in the process of realizing its value.

 

0 Helpfuls
Version history
Last update:
3 weeks ago
Updated by:
Mega Sage
Contributors