Entrust Certificates will no longer be trusted by Google Chrome after October 31, 2024

Joe1 · ‎08-14-2024

Google has made an announcement that they will stop supporting the Entrust CA in a few months: https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html

Our certificate guy was poking around at some things today and noticed our ServiceNow instance uses an Entrust certificate. This KB confirms that ServiceNow uses Entrust for a lot of their certs, but I did not see anything about them changing CAs.

Is there a plan for how to deal with this?

Luiz Lucena · ‎01-08-2025

Alongside with the KB @Joe1 mentioned, I'm sure all clients have received the communication below:

Entrust certificates expiration follow up notification
Review • Take Action by April 2025

Per Google’s recent announcement, ServiceNow is preparing for the replacement of Entrust certificates with DigiCert certificates by the end of April 2025.

In advance of the certificate replacement, any customers using MID servers need to ensure their firewalls allow communication to the DigiCert end points. Also, any hard dependencies on Entrust public certificates will impact your instance and/or integrations, and therefore customers with hard-coded dependencies must take action.

What you need to know and do

Action required before April 30, 2025

Enable Firewalls – All customers must verify that their firewalls will allow for MID server communication to the DigiCert OCSP (http://ocsp.digicert.com) and CRL (http://crl3.digicert.com) end points.
- Instructions to verify and allow (if necessary) can be found in KB1709661.
- Failure to apply this change before the end of April will result in MID server outages.
Hard coded certificates - If you currently have Entrust certificates hard coded to explicitly trust Entrust certificates only, you will need to take the necessary measures to ensure DigiCert certificates are trusted within your environment.
- Instructions for replacing certificates can be found in KB1702083.

Note: Additional communications/reminders will be provided closer to the certificate transition deadline.

Questions?

We are here to help. For details, please reference the following resources:

KB1648707 – [Security Advisory] Entrust Certificate Distrust (Google, Chrome and Firefox)
KB1702083 – Replacing Entrust Certificate Authority (CA)
KB0563633 – SSL/TLS Encryption on Instances which also contains the new DigiCert certificate.

For additional assistance, please create a Case in Now Support using the subject: “Entrust Replacement”. Or you can visit the Customer Support - Contact Us knowledge article for contact information in your region.

View solution in original post

Mark Manders · ‎08-15-2024

To be sure, you could log a case with NowSupport and ask them about it. I didn't read all of the information you provided, but it will only affect new certificates, issued after 31-10 and not affect any older ones. This means that only after the current certs expire, it can cause an issue. My guess is that ServiceNow knows about this and will take this into account on new certs, but you will have to ask them to be sure. The community can only guess.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

Joe1 · ‎08-19-2024

Looks like at least my PROD instance will expire in mid-November. Hopefully this is sorted out by then.

Mark Manders · ‎08-19-2024

As I said: create a case with NowSupport. They can tell you exactly what to expect when.

Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark

PrashanthAch · ‎01-08-2025

Thats not true. The current cert is not expired but still our toolchains failed because the root cert was removed in the base image that we used in CI/CD (some security update at provider end). We had to take steps to fix this problem since it caused problems with our CI/CD pipeline. Servicenow should change their cert or get entrust to fix whatever is broken and get re-added to these places.