Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

Implementing Certificate Inventory Management (CIM) in ServiceNow: Key Insights and Challenges

Swapna Abburi
Mega Sage
Mega Sage

5 hours ago

In this article, I share my experience configuring the Certificate Inventory Management (CIM) module in ServiceNow, the challenges faced during discovery, and practical approaches that worked. If you’re planning to implement CIM, these insights will help you anticipate potential hurdles and plan effectively.

 

What is CIM and Why It Matters?

CIM, part of the ITOM suite, helps organizations manage the inventory and lifecycle of TLS/SSL certificates. Expired certificates often lead to unexpected outages, and manual tracking is both time-consuming and error prone. CIM provides:

 

  • Real-time visibility into certificates nearing expiry
  • Automated renewal workflows to prevent downtime
  • Centralized inventory management for TLS/SSL certificates

Key Considerations

To establish a complete CIM process, we need to ingest the existing certificate inventory to ServiceNow with all the required details and relationship.

  1. Certificate Discovery

    • Identify existing certificates, their validity, and hosting locations (servers or network devices).
      Ensure certificates have valid relationships with Configuration Items (CIs) for ownership and support details.

  2. Impact Analysis

    • Understand which applications depend on each certificate.
    • Maintain service modeling in CMDB for accurate dependency mapping.

 

There were several approaches to discover certificates.

 

SwapnaAbburi_1-1763927481846.png

 

We started with Port scan approach by enabling TLS/SSL port probe which automatically started to capture TLS certificates in the next horizontal discovery schedules.

SwapnaAbburi_0-1763926635896.png

 

Certificates discovered were stored in the Unique Certificate "cmdb_ci_certificate" table, with relationships to hosting CIs maintained in CMDB. The relationship information is stored in "cmdb_rel_ci" table with Used by::Uses type of relation.

 

Challenges Faced During Discovery

  1. Incomplete Discovery

    • Some certificates were missing compared to local inventory.
    • Common errors included:
      • SSLHandshakeException: Non-compatible TLS protocol (e.g., TLS10 vs TLS12)
      • IOException: Connection forcibly closed
      • SSLException: Unrecognized SSL message

    We have to spent time analyzing ECC queue logs for root causes. 

  2. CI Discovery Issues

    • In some cases, CIs themselves were not discovered, hence no certificates were captured.

So, we were not able to achieve 100% discovery with this approach.

 

Below Alternate Methods were tried:

  • URL Scan: Added certificate URLs to cmdb_ci_endpoint_http table, but results were inconsistent in this approach too.
  • Microsoft CA Authority Integration: Discovered certificates but lacked CI relationships.

Final Strategy

We adopted a hybrid approach:

  • Automated Discovery where possible
  • Manual Import for missing certificates
  • Updated ownership details of certificate based on related CIs or service owners. if no CI relationship exists, ownership information is maintained manually.

 

Conclusion
I hope these insights and challenges help those planning to implement Certificate Inventory Management (CIM) in ServiceNow. Understanding these details upfront will allow you to assess potential roadblocks and design a more effective implementation strategy.

 

Feel free to share your experiences, lessons learned, or success stories with CIM in the comments. I would love to hear how others approached this journey!

  • 42 Views
Version history
Last update:
5 hours ago
Updated by:
Mega Sage
Contributors