Need guidance on how to purchase an SSL certificate

Paul Ciarfella · ‎04-18-2016

We are developing an integration with a third-party ticketing system. The third-party requires us to support mutual authentication (I know, one way to the 3rd party, not to SNOW).

So I'm trying to have our IT MSP purchase SSL certificates for our instances (blah.service-now.com, blahtest.service-now.com, blahdev.service-now.com). We cannot use a self-signed certificate (otherwise I would've done it myself). And I cannot purchase the certificate myself.

Our company's authority is Semantec. Our IT vendor is saying that Semantec cannot create the SSL certificate without getting approval from Godaddy, which is ServiceNow's authority. Supposedly Semantec has contact ServiceNow but is not getting any response. I put a ticket into HI but they don't understand my problem.

How have others purchased their own certificates? Is this really an issue, or is my IT MSP just confused as to what they need to do?

Paul Ciarfella · ‎05-05-2016

Our solution is going to be to create a DNS record with a service name like servicenowprod.companyname.com, where we have root certs already for companyname.com. We can then create the client certificate off that.

I was stuck on the idea that I needed to have the instance URL from service-now.com be the FQDN in the certificate. But that's not required.

View solution in original post

tony_barratt · ‎04-29-2016

Hi Paul,

The SSL certs are on the SSL termination on the target system.

For mutual auth, as you are the client, you need a client certificate you can upload as per

Uploading a Certificate - ServiceNow Wiki

which also meets the requirements for mutual auth.

Mutual authentication

Best Regards

Tony

Paul Ciarfella · ‎04-29-2016

Right - I understand that part. The issue is with our MSP purchasing the client certificate for the instance, as they say that we must have ServiceNow approve the purchase of the cert since the instance is in a Servicenow domain.

tony_barratt · ‎04-30-2016

Hi Paul,

You do mention the purchase of SSL certificates in your post - I do not think that is required for mutual auth in this case.

For outbound mutual authentication the first check is made by the ServiceNow instance against the SSL Certificate of the target webserver, which is or should be already in place.

The second check is made by the far end in respect of the client certificate, which is inspected by the far end

This client certificate will have been uploaded to the ServiceNow instance as part of the configuration. Also the public part of the client cert may have been uploaded to the far end.

Your issue seems to relate to the 2nd check and the client certificate.

You mention you cannot use a self-signed (client) certificate.

Could you confirm that? A self-signed client certificate is usually acceptable.

Best Regards

Tony

tony_barratt · ‎05-03-2016

Hi Paul,

Have you been able to confirm that a self-signed cert is OK for the client auth?

Best Regards

Tony