Manual Certificate CI Creation in ServiceNow!!

Selva Arun · ‎08-07-2025

Manual Certificate Configuration Item Creation in ServiceNow

A Complete Guide for ServiceNow Professionals

📋 Disclaimer and Purpose

This knowledge article is created to share practical experience and knowledge gained through hands-on work with ServiceNow certificate management. The intention is not to duplicate existing community work, but to contribute our real-world learnings and provide a comprehensive resource that combines best practices from various sources within the ServiceNow ecosystem.

This guide builds upon the excellent foundation provided by ServiceNow documentation and community contributions, adding practical insights from actual implementation scenarios.

📋 Version and Plugin Requirements

ServiceNow Version Compatibility:

This guide is based on ServiceNow versions Quebec and later
Field names and functionality may vary in older versions
Some features require specific family releases

Required Plugins:

Certificate Inventory and Management plugin must be activated
CMDB (Configuration Management Database) - typically enabled by default
Discovery plugin (if using automated discovery features)

⚠️ Instance-Specific Considerations:

Custom fields shown (e.g., u_environment) may need to be created in your instance
Assignment group configurations vary by organization
Relationship types might have different names in some implementations
Always test procedures in a development instance first

When Manual Certificate Creation is Needed
Understanding Certificate Relationships
Upstream vs Downstream Relationships Explained
Certificate Creation Methods Overview
Step-by-Step Manual Certificate Creation Process
Creating Certificate-Server Relationships
CMDB Relationship Management
Validation and Verification
Best Practices and Lessons Learned
Troubleshooting Common Issues
Advanced Scenarios
Integration with Other ServiceNow Modules
Conclusion

When Manual Certificate Creation is Needed

Common Scenarios Requiring Manual Creation:

🔒 Discovery Limitations:

Certificates on servers that cannot be scanned due to security restrictions
Internal Certificate Authorities not accessible to discovery tools
Code signing certificates that don't expose themselves on standard ports
Certificates behind firewalls or in isolated network segments

🏢 Organizational Requirements:

Change management processes requiring manual documentation
Compliance requirements for certificate inventory
Integration of certificates from acquisitions or mergers
Legacy systems with non-standard certificate implementations

🛠️ Technical Constraints:

Certificates in hardware security modules (HSMs)
Embedded certificates in applications or devices
Certificates that exist only in certificate stores without network exposure
Custom certificate implementations

Understanding Certificate Relationships

The Certificate Ecosystem

In ServiceNow, certificates don't exist in isolation. They're part of a complex ecosystem involving:

Certificate Authorities (CAs) - Who issued the certificate
Servers and Applications - Where certificates are installed/used
Dependencies - What relies on the certificate to function
Infrastructure - The underlying systems supporting the certificate

Key Relationship Types:

Issuer Relationships - Links to the CA that signed the certificate
Installation Relationships - Where the certificate is physically installed
Usage Relationships - What applications or services use the certificate
Dependency Relationships - What depends on this certificate to function

Upstream vs Downstream Relationships Explained

🏔️ Think of a Mountain River System

Imagine water flowing from a mountain peak down to the ocean:

Mountain → Stream → River → Lake → Ocean

Upstream = Higher up (toward the source)
Downstream = Lower down (toward the destination)

💧 The Flow Concept

Upstream:

Definition: What comes BEFORE you in the flow
Simple Rule: What you RECEIVE something FROM
In IT: What you DEPEND ON to function

Downstream:

Definition: What comes AFTER you in the flow
Simple Rule: What you GIVE something TO
In IT: What DEPENDS ON YOU to function

🖥️ Real-World IT Examples

Example 1: Website Loading

Internet → Web Server → Database → Storage

From Web Server's perspective:

Upstream: Internet, users making requests
Downstream: Database, storage systems

Example 2: Certificate Chain

Root CA → Intermediate CA → Server Certificate → Application

From Server Certificate's perspective:

Upstream: Intermediate CA (who signed it)
Downstream: Applications (who use it)

🔄 ServiceNow CMDB Relationships

"Depends On" = Looking Upstream ⬆️

Meaning: "I need this thing to work"
Direction: Points to what provides TO you
Example: Web Application depends on SSL Certificate

"Used By" = Looking Downstream ⬇️

Meaning: "This thing needs me to work"
Direction: Points to what receives FROM you
Example: SSL Certificate used by Web Application

"Runs On" = Physical Location 🏠

Meaning: "I am installed/hosted on this"
Example: Certificate runs on Server

🎯 Memory Tricks

Upstream = "UP" the mountain

Where things START
What you GET FROM
What you DEPEND ON

Downstream = "DOWN" the mountain

Where things GO TO
What you GIVE TO
What DEPENDS ON YOU

Certificate Creation Methods Overview

Method 1: Bulk Upload (Built-in ServiceNow Feature)

ServiceNow provides a built-in bulk upload feature for certificates that's useful for large-scale certificate inventory.

⚠️ Documentation Source Note:

The following information is sourced from official ServiceNow documentation (updated July 30, 2025) and community contributions. If you notice any inaccuracies or have corrections, please provide feedback - I'm open to modifications to ensure accuracy.

Version Requirements:

Certificate Inventory and Management version 1.2.0 and later
Release compatibility: Zurich, Yokohama, Xanadu, Washington DC
Capacity: Up to 5,000 certificates per .xlsx file

Role Requirements:

pki_user or pki_admin role required
Specific roles: sn_disco_certmgmt.pki_user or sn_disco_certmgmt.pki_admin

Detailed Steps for Bulk Upload:

Navigate to All > Certificate Management > Bulk Upload Certificates
Select "Download Template File (.xlsx)" to download sample_cmdb_ci_certificate.xlsx
Open the downloaded sample_cmdb_ci_certificate.xlsx file
Refer to sample values as a guide and populate certificate properties in corresponding columns
Ensure these mandatory columns are filled:
- root_issuer (fingerprint of root certificate)
- issuer (fingerprint of issuer certificate)
- subject_common_name
- issuer_common_name
- fingerprint
- issuer_distinguished_name
- subject_distinguished_name
- fingerprint_algorithm
- valid_to (epoch time in milliseconds)
- valid_from (epoch time in milliseconds)
- signature_algorithm
- key_size
- state (issued, installed, revoked, retired, or other)
Important for Certificate Chains:
- Each certificate must have its root certificate's fingerprint in root_issuer column
- Each certificate must have its issuer's fingerprint in issuer column
- For self-signed certificates, both root_issuer and issuer use the certificate's own fingerprint
Save the completed sample_cmdb_ci_certificate.xlsx file
Navigate to Certificate Management > Bulk Upload Certificates
Select Browse File and choose your completed file
Select Upload

When to Use Bulk Upload:

✅ Large number of certificates (50+ certificates)
✅ Basic inventory needs (certificate records only)
✅ Non-technical users (no scripting knowledge required)

⚠️ Important Limitations of Bulk Upload:

❌ Does NOT create server relationships
❌ Does NOT populate "Installed Certificates" tab
❌ Does NOT create CMDB relationships

Method 2: Manual/Script Creation (Comprehensive Approach)

When to Use Manual/Script Creation:

✅ Complete relationship management required
✅ "Installed Certificates" tab population needed
✅ CMDB relationships for impact analysis

Feature	Bulk Upload	Manual/Script
Certificate Records	✅	✅
Server Relationships	❌	✅
CMDB Relationships	❌	✅

Step-by-Step Manual Certificate Creation Process

Phase 1: Preparation and Information Gathering

Step 1.1: Collect Certificate Information

# Using OpenSSL to examine certificate files openssl x509 -in certificate.crt -text -noout # Using PowerShell on Windows Get-ChildItem Cert:\LocalMachine\My | Format-List *

Phase 2: ServiceNow Configuration

Step 2.1: Navigate to Certificate Table

Go to Configuration → Servers → Certificates
Or navigate to cmdb_ci_certificate table
Click New to create new certificate record

Step 2.2: Create Issuer CA (If Required)

// Sample CA creation fields name: "Internal-Root-CA" short_description: "Internal Root Certificate Authority" is_ca: true state: "issued"

Step 2.3: Create the Certificate Record

Mandatory Fields:

Name: Unique identifier (usually common name)
Short Description: Brief description of certificate purpose
State: issued/expired/revoked
Certificate Type: SSL/TLS, Code Signing, etc.

Subject Information:

Subject Common Name: Primary name on certificate
Subject Distinguished Name: Full DN string
Subject Organization: Organization name
Subject Alternative Names: Additional names (if applicable)

Issuer Information:

Issuer: Reference to issuer CA record
Root Issuer: Reference to root CA
Issuer Common Name: Issuer's common name
Issuer Distinguished Name: Full issuer DN

Management Fields:

Assignment Group: Responsible team
Renewal Tracking: How renewal is handled
Discovery Source: "Manual Entry"
Monitor: Enable/disable monitoring

Phase 3: Relationship Creation

Step 3.1: Certificate Management Relationships

// Table: sn_disco_certmgmt_cmdb_installed_certificate name: "Certificate Name installed on Server Name" certificate: [Reference to certificate record] server: [Reference to server CI] discovery_method: "Manual Entry"

Step 3.2: CMDB Relationships

// Table: cmdb_rel_ci parent: [Certificate sys_id] child: [Server sys_id] type: [Runs on relationship type]

Creating Certificate-Server Relationships

Understanding the Relationship Types

Installed Certificate Relationships: Certificate management and lifecycle tracking

CMDB Relationships: Configuration management and dependency mapping

// Function to create both relationship types function createCertificateRelationships(certSysId, serverSysId, certName, serverName) { // Create installed certificate relationship var installedGR = new GlideRecord('sn_disco_certmgmt_cmdb_installed_certificate'); installedGR.initialize(); installedGR.setValue('name', certName + ' installed on ' + serverName); installedGR.setValue('certificate', certSysId); installedGR.setValue('server', serverSysId); var installedSysId = installedGR.insert(); // Create CMDB relationship var relGR = new GlideRecord('cmdb_rel_ci'); relGR.initialize(); relGR.setValue('parent', certSysId); relGR.setValue('child', serverSysId); var cmdbRelSysId = relGR.insert(); return { installed_cert: installedSysId, cmdb_relationship: cmdbRelSysId }; }

Validation and Verification

Certificate Record Validation

Subject Information Complete: CN, DN, Organization populated
Issuer Relationship: Proper link to issuer CA
Validity Dates: Accurate from/to dates

// Validation script function validateCertificate(certSysId) { var cert = new GlideRecord('cmdb_ci_certificate'); if (cert.get(certSysId)) { var validation = { basic_info: !!(cert.name && cert.short_description), subject_info: !!(cert.subject_common_name), issuer_info: !!(cert.issuer && cert.issuer_common_name) }; return validation; } return null; }

Best Practices and Lessons Learned

Naming Conventions

Use consistent format: service.domain.com or svcaccount@domain.com
Include environment indicators: prod, test, dev

Data Quality Practices

Always populate subject DN completely
Include SAN information when present
Set accurate validity dates

Troubleshooting Common Issues

Issue: Duplicate Certificate Error

// Check for existing certificates var existing = new GlideRecord('cmdb_ci_certificate'); existing.addQuery('subject_common_name', commonName); existing.query(); if (existing.next()) { gs.info('Certificate already exists: ' + existing.getUniqueValue()); }

Issue: Server Not Found

// Multi-table server search function findServer(hostname) { var tables = ['cmdb_ci_server', 'cmdb_ci_win_server', 'cmdb_ci_linux_server']; for (var i = 0; i < tables.length; i++) { var serverGR = new GlideRecord(tables[i]); serverGR.addQuery('name', hostname); serverGR.query(); if (serverGR.next()) { return serverGR.getUniqueValue(); } } return null; }

Advanced Scenarios

Code Signing Certificates

// Code signing certificate creation certGR.setValue('service_type', 'code_signing'); certGR.setValue('request_type', 'code_signing_certificate'); certGR.setValue('key_usage', 'Digital Signature, Key Encipherment, Code Signing');

Wildcard Certificates

var sans = '*.domain.com, domain.com, app1.domain.com, app2.domain.com'; certGR.setValue('subject_alternative_names', sans);

Integration with Other ServiceNow Modules

Change Management

Link certificate creation to change requests
Include in change impact analysis

Incident Management

Relate certificate expiration incidents
Track certificate-related outages

Conclusion

Manual certificate creation in ServiceNow requires attention to detail and understanding of relationships, but when done properly, provides comprehensive visibility and management capabilities. The key is to:

Gather complete information before starting
Create proper relationships for full visibility
Follow consistent naming conventions
Validate all entries for accuracy
Document the process for compliance
Test relationship functionality

This guide represents practical experience gained through real implementations. While every environment is different, these principles and procedures should provide a solid foundation for successful manual certificate management in ServiceNow.

Additional Resources

ServiceNow Certificate Discovery Documentation
ServiceNow CMDB Relationship Management
Certificate Management Best Practices
PKI Integration Patterns

🤝 Community Contribution and Feedback

This article is contributed to the ServiceNow community based on real-world implementation experience and official ServiceNow documentation. The information provided is from my view and practical experience - if you think any information is incorrect, please let me know. I'm open to modifying it to ensure accuracy.

I encourage feedback, improvements, and additional use cases from the community to make this resource even more valuable.

Sources:

Official ServiceNow Documentation (Certificate Inventory and Management):Use bulk certificate upload
Real-world implementation experience
ServiceNow Community contributions (including insights from community members like Sohail Khilji)

Share your experiences and help improve this guide for everyone!

👍 Found This Helpful?

If you believe the solution provided has adequately addressed your query, could you please mark it as 'Helpful'. This will help other community members who might have the same question find the answer more easily.

Thank you for your consideration.

Siddiqbasha · ‎08-12-2025

Unable to upload certificate excel file..

facing this error * Cannot upload Servicenow Sample certificates. Please remove Servicenow sample certificates and retry uploading.

Siddiqbasha · ‎08-13-2025

While bulk upload certificate I'm facing error

*Cannot upload Servicenow Sample certificates. Please remove Servicenow sample certificates and retry uploading.