Renewing X.509 Certificates - Best Practice?

Go to solution
Nick Peters
Tera Guru

‎05-24-2018 07:36 AM

Our X.509 certificates for our SAML configuration and IdP are about to expire. What is the best practice for updating these?

This product doc: X.509 certificates for SAML, doesn't do much in the way of explaining how to update them.

  • I'm assuming that we don't replace existing certs, just add new ones - is this correct?
  • Once we add the new certs and confirm they are working, should we mark the old ones inactive?
  • The linked product doc states that once a cert is expired, it will poll the IdP for a new one - should we really wait, or should we just work with the team that supports the certs and update them before they expire?

Any other best practice advice is appreciated.

  • 7,788 Views
1 ACCEPTED SOLUTION

Go to solution
Nick Peters
Tera Guru

‎07-05-2018 08:25 AM

Replying with how we handled it so as to mark this post as answered.

The server admin conducting the cert renewal added a secondary encryption cert to AD before the primary expired. This apparently broke ServiceNow's authentication with our AD service. Once the primary cert was changed a few seconds later, he shared it with everyone that needed it. I simply copy/pasted it into our existing X.509 record and it validated instantly.

View solution in original post

5 REPLIES 5

Go to solution
Greg75
ServiceNow Employee
ServiceNow Employee
In response to midjoule

‎06-11-2024 10:24 AM

Hello @midjouleAn ideal identity provider (IdP) should absolutely help you with understanding when to replace your X.509 certificate. In fact, a good IdP will likely offer a combination of features to assist with certificate lifecycle management:

 

  • Automated Notifications: The IdP should monitor certificate validity periods and send alerts nearing expiration to give you ample time to replace the certificate before it becomes invalid.
  • Renewal Options: Some IdPs may offer streamlined renewal processes, allowing you to easily request and obtain a new certificate within the IdP platform.
  • Best Practice Guidance: A good IdP should provide resources or documentation outlining best practices for X.509 certificate management, including recommended renewal timelines and potential security considerations.

Here's why an IdP is well-positioned to assist with certificates:

  • Centralized Management: The IdP likely has an overview of all your certificates within its system, making it easier to track validity periods.
  • Security Focus: Since IdPs are inherently security-focused, they understand the importance of maintaining valid certificates for secure communication.

If your current IdP doesn't provide these features, it may be worth exploring their documentation or contacting their support to inquire about certificate management policies. Servicenow does not provide guidance in our documentation about certificate renewal timelines.