- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-24-2018 07:36 AM
Our X.509 certificates for our SAML configuration and IdP are about to expire. What is the best practice for updating these?
This product doc: X.509 certificates for SAML, doesn't do much in the way of explaining how to update them.
- I'm assuming that we don't replace existing certs, just add new ones - is this correct?
- Once we add the new certs and confirm they are working, should we mark the old ones inactive?
- The linked product doc states that once a cert is expired, it will poll the IdP for a new one - should we really wait, or should we just work with the team that supports the certs and update them before they expire?
Any other best practice advice is appreciated.
Solved! Go to Solution.
- 7,776 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2018 08:25 AM
Replying with how we handled it so as to mark this post as answered.
The server admin conducting the cert renewal added a secondary encryption cert to AD before the primary expired. This apparently broke ServiceNow's authentication with our AD service. Once the primary cert was changed a few seconds later, he shared it with everyone that needed it. I simply copy/pasted it into our existing X.509 record and it validated instantly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2018 08:25 AM
Replying with how we handled it so as to mark this post as answered.
The server admin conducting the cert renewal added a secondary encryption cert to AD before the primary expired. This apparently broke ServiceNow's authentication with our AD service. Once the primary cert was changed a few seconds later, he shared it with everyone that needed it. I simply copy/pasted it into our existing X.509 record and it validated instantly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-09-2018 11:25 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2021 01:04 AM
Hi Nick, do you know if the system would take care of everything if we do not renew it somehow manually? I see in the documentation that it should auto-handle this part, our instance is having the same issue and certificate is expected to expire in 4 days.
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2024 09:17 PM
Hello,
I'm getting into the same situation and found out this support KB Doc from ServiceNow, which explains that the best practice is to create the new certificate few weeks ahead of the expiration of the existing one. Then, the old one should be deactivated after it has expired.
Best regards