Renewing X.509 Certificates - Best Practice?

Nick Peters · ‎05-24-2018

Our X.509 certificates for our SAML configuration and IdP are about to expire. What is the best practice for updating these?

This product doc: X.509 certificates for SAML, doesn't do much in the way of explaining how to update them.

I'm assuming that we don't replace existing certs, just add new ones - is this correct?
Once we add the new certs and confirm they are working, should we mark the old ones inactive?
The linked product doc states that once a cert is expired, it will poll the IdP for a new one - should we really wait, or should we just work with the team that supports the certs and update them before they expire?

Any other best practice advice is appreciated.

Nick Peters · ‎07-05-2018

Replying with how we handled it so as to mark this post as answered.

The server admin conducting the cert renewal added a secondary encryption cert to AD before the primary expired. This apparently broke ServiceNow's authentication with our AD service. Once the primary cert was changed a few seconds later, he shared it with everyone that needed it. I simply copy/pasted it into our existing X.509 record and it validated instantly.

View solution in original post

Nick Peters · ‎07-05-2018

Replying with how we handled it so as to mark this post as answered.

The server admin conducting the cert renewal added a secondary encryption cert to AD before the primary expired. This apparently broke ServiceNow's authentication with our AD service. Once the primary cert was changed a few seconds later, he shared it with everyone that needed it. I simply copy/pasted it into our existing X.509 record and it validated instantly.

Greg75 · ‎11-09-2018

Here is a process to automatically update your certificate using the IDP Metadata URL.

Lemajeur · ‎08-02-2021

Hi Nick, do you know if the system would take care of everything if we do not renew it somehow manually? I see in the documentation that it should auto-handle this part, our instance is having the same issue and certificate is expected to expire in 4 days.

Thanks

midjoule · ‎06-10-2024

Hello,

I'm getting into the same situation and found out this support KB Doc from ServiceNow, which explains that the best practice is to create the new certificate few weeks ahead of the expiration of the existing one. Then, the old one should be deactivated after it has expired.

Best regards