Automating Incident Creation Based on Certificate Expiry in ITOM Visibility

Hari S1
Tera Contributor

‎02-27-2025 04:00 AM

Hi, 

We've installed the Certificate Inventory and Management ITOM Visibility plugin and need to set up automatic incident creation 20 days before a certificate expires. How can I configure incident tickets to be created based on certificate expiry? Additionally, how can I identify where all the certificates are stored?

 

 

Thanks

0 Helpfuls
  • 907 Views
6 REPLIES 6

Selva Arun
Mega Sage
Mega Sage

‎02-27-2025 06:58 AM

Hi Hari,

 

You can automate incident creation for expiring certificates in ITOM Visibility using the Certificate Inventory and Management plugin. There are two primary ways to create incidents for expiring certificates:

1. Using the Discovery Property

ServiceNow has a built-in property:
glide.discovery.certs.enable_incident_creation_for_expired_certificates

  • The "Certificate Notification" scheduled job runs daily and triggers the "CertificateTaskNotifier" script include.
  • This executes the "Certificate Notification" Subflow.
  • If a certificate is expired or nearing expiration, and the property above is set to true, an incident will be created (if one doesn’t already exist for that certificate CI).

👉 You can check the system property here:
🔗 [System Property - glide.discovery.certs.enable_incident_creation_for_expired_certificates]
https://<instance-name>.service-now.com/nav_to.do?uri=sys_properties.do?sys_id=a16442523b6233000fd4cedf34efc484

👉 Check the scheduled job:
🔗 [Certificate Notification Job]
https://<instance-name>.service-now.com/nav_to.do?uri=sys_trigger.do?sys_id=12618c981b3ff81038c05240604bcb17

👉 Review the script include:
🔗 [CertificateTaskNotifier Script Include]
https://<instance-name>.service-now.com/sys_script_include.do?sys_id=c2da33fb5b330010fadbd643b881c717

2. Using the Scheduled Job "Certificate Event Notification"

  • This job runs daily and checks for expired or soon-to-expire certificates (within the next 60 days) in the cmdb_ci_certificate table.
  • If such certificates are found, the job creates events, which then trigger alerts and incidents.

👉 Check the scheduled job here:
🔗 [Certificate Event Notification Job]
https://<instance-name>.service-now.com/nav_to.do?uri=sys_trigger.do?sys_id=9a618c981b3ff81038c05240604bcb13

👉 Related Event Rule:
🔗 [Certificate Expired/Expiring Events Rule]
https://<instance-name>.service-now.com/nav_to.do?uri=em_match_rule.do?sys_id=27adfbd1c74f401005e626b1c7c260be

How to Store and Identify Certificates in ServiceNow?

  • All certificates are stored in the cmdb_ci_certificate table in the CMDB.
  • You can view them by navigating to:
    CMDB > Certificates > All Certificates

Alternatively, you can use this direct link:
🔗 [View Certificates]
https://<instance-name>.service-now.com/nav_to.do?uri=cmdb_ci_certificate_list.do

Next Steps

  • To automate incident creation 20 days before expiry, modify the logic in the Certificate Event Notification Job to trigger events/incidents at 20 days instead of 60.
  • Verify that the system property glide.discovery.certs.enable_incident_creation_for_expired_certificates is set to true to enable automatic incident creation.
  • Also, you can modify the subflow:

Steps to Modify the Flow for 20 Days Before Expiry

1. Identify the Flow or Subflow Used for Notification

  • Navigate to Flow Designer:
    • Go to All > Flow Designer
    • Search for the flow "Certificate Notification"
    • Open the flow to edit it

Alternatively, you can edit the existing subflow directly:

2. Copy the OOB Subflow (if needed)

  • The existing OOB subflow can be copied for customization.
  • Click "Copy" to create a new copy of the subflow.
  • Modify the copied subflow according to your requirements.

3. Locate the Expiry Condition

  • Inside the subflow, find the step where it checks the expiry date of the certificate.
  • The condition will likely check for expiry within 60 days. Modify it to check for 20 days before expiry.

Example Condition Update:

[Certificate Expiry Date] [is on or before] [Today + 20 days]

If using a script in the script include (e.g., CertificateTaskNotifier), update the condition as follows:

var expiryDate = new GlideDateTime(certRecord.expiry_date);
var today = new GlideDateTime();
today.addDaysUTC(20);  // Change from 60 to 20 days

if (expiryDate.before(today)) {
    createIncident(certRecord);
}

4. Save and Publish the Flow

  • After making the necessary changes, Save and Publish the subflow.
  • Ensure the subflow is active and connected to the appropriate flow.

5. Test the Changes

  • Run a test with a certificate that is expiring in less than 20 days to confirm that the incident is created.
  • Check Flow Executions and System Logs for errors if the incident is not being created.

Additional Checkpoints

  1. Scheduled Job Validation

    • If the notification is triggered via the "Certificate Event Notification" scheduled job, verify that it is checking for 20 days instead of 60.
    • Modify the job's script if necessary.

  2. Incident Creation Property

    • Ensure glide.discovery.certs.enable_incident_creation_for_expired_certificates is enabled (true).

 

If you believe the solution provided has adequately addressed your query, could you please **mark it as 'Helpful'** and **'Accept it as a Solution'**? This will help other community members who might have the same question find the answer more easily.

 

Thank you for your consideration.

Selva Arun

 

Hari S1
Tera Contributor
In response to Selva Arun

‎02-27-2025 07:51 AM

Hi @Selva Arun ,

We are creating a Task ticket 60 days before the certificate expiry. However, we also want to create an incident ticket 20 days before the expiry if the task is not closed by that time. If the task is not closed within 20 days, we will create an incident. I believe the property below and process you have mentioned is different, right?

 

HariS1_2-1740671396054.png

 

 

0 Helpfuls