Mutual TLS in Flow Designer: Using Protocol Profiles with the Connection & Credentials Framework

Mutual TLS (mTLS) is one of the most common ways customers secure high-trust outbound integrations — banking APIs, regulated SaaS endpoints, internal partner services. If you've configured it on the Now Platform before, you've likely used a Protocol Profile bound to a classic REST Message or SOAP Message record.

What often gets missed: the same Protocol Profile mechanism plugs cleanly into the Connection & Credentials framework. That means your Flow Designer REST step and SOAP step can use mTLS without custom scripting and without duplicating configuration.

This post walks through the end-to-end setup, so you can wire a Flow Designer REST or SOAP step to a mutually authenticated endpoint the supported way.

What you're actually configuring

mTLS adds a second leg to the standard TLS handshake: the server presents its certificate to you (as in regular HTTPS), and you present your certificate back to the server. Both sides validate before the connection completes. On the Now Platform, three things need to be in place:

1. Your identity — a Java keystore holding your private key and CA-signed public certificate, registered on the instance as a Java Key Store record.
2. The server's identity — the third party's public certificate, registered on the instance as a Trust Store Cert.
3. The binding — a Protocol Profile that ties the keystore to a named protocol the platform can reference at runtime.

Note: this is an outbound-only capability. Inbound mTLS to your instance is a separate setup.

Step 1: Set up the Protocol Profile (condensed)

If you've already done this for an existing integration, skip ahead. Otherwise, the short version:

1. Generate the keystore. Use keytool to create a Java keystore with a key pair, generate a CSR, get it signed by your CA, then import the signed certificate along with the root and any intermediate certificates. Use the -trustcacerts option on the imports — this matters for Step 1 and shows up later as a common error if missed.
2. Register the keystore. Navigate to System Definition > Certificates, create a new record, set Type to Java Key Store, mark it Active, attach the keystore file, and provide the keystore password.
3. Import the third party's certificate. In the same Certificates table, create a new record with Type = Trust Store Cert. Use PEM (paste into the field) or DER (attach the file).
4. Create the Protocol Profile. Navigate to System Security > Protocol Profiles, create a new record with a unique name (anything except http), port 443, and point it at the Java Key Store record from Step 2.
5. Share your public certificate with the third party so they can trust your instance.

For the full version — including all keytool flags and CA-specific guidance — see KB0696002: Configure Outbound Mutual Authentication.

Step 2: Wire the Protocol Profile into a Connection & Credential alias

This is the part that often gets missed.

1. Navigate to Connections & Credentials > Connection & Credential Aliases and open or create your alias.
2. On the connection record, enable the "URL builder" checkbox. This is the unlock — without it, the mTLS fields stay hidden.
3. With URL builder enabled, the Mutual authentication checkbox becomes available. Select it.
4. The Protocol profile field appears. Look up and select the protocol profile you created in Step 1 (in the example below, testMTLS).
5. Fill in the Host, and — if needed — Override default port and Base path.
6. Save the connection record.

Field-level reference for every option on this form is in the official product docs: Create an HTTP(s) connection.

 

 

Step 3: Use the alias in your Flow Designer step

Once the alias is saved with mTLS configured, it behaves like any other Connection & Credential alias.

1. Open your flow in Flow Designer.
2. Add a REST step or SOAP step.
3. Set Connection to Use Connection Alias and select your alias.
4. Configure the rest of the step as you normally would — method, headers, query parameters, body, response handling.

That's it. The mTLS handshake happens automatically when the step executes. There's no script, no header injection, no secondary authentication configuration.

Common gotchas

• "Unsupported protocol" on test: Almost always points back to the keystore. Confirm you used -trustcacerts on the certificate imports, and that the resulting alias is of type TrustedCertEntry. Verify with keytool -list -v -keystore your.keystore.
• Mutual authentication checkbox doesn't appear: URL builder is off. Toggle it on and the field will surface immediately.
• Wrong port: mTLS endpoints are typically on 443. Use Override default port only if the third party listens on a non-standard port.
• Certificate expiry: Track the expiration of both your keystore certificate and the third party's trust store certificate. A renewal that slips by a day will silently break the integration. Build a calendar reminder or use a monitoring job.
• Multiple endpoints, one keystore: If the same client certificate authenticates you to several third parties, you can reuse the same Protocol Profile across multiple Connection aliases. One keystore, one profile, many aliases.
  
  

Why this matters

The same Protocol Profile you've already configured for classic REST and SOAP Messages now flows directly into the Connection & Credentials framework, which means Flow Designer steps inherit the same mTLS posture without an additional configuration model. One keystore, one Protocol Profile, used everywhere outbound mTLS is needed — classic messages, Integration Hub spokes, and custom flows alike.

If you've been holding off on moving an integration into Flow Designer because of the mTLS requirement, this is the path forward.

References

• KB0696002 — Configure Outbound Mutual Authentication (calling 3rd party Web Services) in ServiceNow ...
• KB1648222 — Mutual Authentication for REST Messages
• ServiceNow product docs: Create an HTTP(s) connection — full field reference for the Connection alias form, including the Mutual authentication and Protocol profile options surfaced by URL builder