Certificate and inventory management discovery questions

Hanumant Madan1
Kilo Guru

‎05-12-2022 12:10 AM

Hello All,

 

We have enabled "Certificate and Inventory management" in ServiceNow.

Discovery has ran smoothly and discovered many certificates as expected.

We have below requirements/queries for which we need some advise.

1> Certificate discovery in AWS cloud - public IP ranges. We are discovering AWS Virtual instances and OS using cloud Service Account. And We are not sure how will we discover IP based discovery for certificates hosted in cloud.

2> Filter out unwanted certificates like for printers, etc > we do not want all the certificates which are being discovered, as many of them are not critical. We need certitifictaes on servers for example and not on printers. Is there any way we can filter certificates out and should not be discovered during scanning.

 

Look forward for valuable suggestions.

 

Regards,

Hanumant

 

Labels:
0 Helpfuls
  • 1,173 Views
3 REPLIES 3

Sree32
ServiceNow Employee
ServiceNow Employee

‎05-13-2022 09:37 AM

Certificate discovery can happen with the below methods :

 

  1. TCP / IP port scanner
  2. URL
  3. CA Integrations : Entrust / Sectigo / Digicert / Microsoft CA / GoDaddy
  4. Load balancer – F5 SSH method

 

If you are running IP based discovery in AWS, the certificate discovery method via port scanner should pick the certs if you have the port access from MID to Target AWS VMs. Also, check out the AWS Certificate manager spoke

 

Discovery will always pick the certificates which are visible in the network. You can use the flag " Renewal tracking field and set "Do not create renewal tasks" to ignore the certificate expiry notifications for printers. 

 

find_real_file.png

Preview file
69 KB

Hanumant Madan1
Kilo Guru
In response to Sree32

‎05-23-2022 07:52 AM

Hi Shree,

 

Thanks for the reply.

I will start from end of your answer:

You mentioned about not creating notifications/tasks for printers, but what if I don;t want to discover such certifricates, or it has to happen as we are scanning ranges with default ports of certificates.

Secondly I have below questions:

1> If we decide to use URL for websites hosted on public IP addresses, what are the prerequsites we need to have in place, (do we need credentials, port to be opened between MID to URL, etc)

2> We need to raise tasks and assign to specific assignment group, we need to populate values of (support group/owner group) on the certificate table in respctive field, has anyone done this before, what are the best ways to acheive this, as owner of the certificate has to be mapped for task to be auto assigned to respective group.

 

Thanks!

 

Regards,

HM

0 Helpfuls

Hanumant Madan1
Kilo Guru
In response to Hanumant Madan1

‎05-24-2022 04:33 AM

any idea here.

 

I see populating data from related CI based on cmdb_ci_rel table doesn;'t look to be healthy option for this.

How do you guys manage the owner group/support group data on certificates, so the task is assigned to respective groups.

 

Regards,

Hanumant

0 Helpfuls