Use automated flow for certificate management

Rversion finale: Australia

Mis à jour 12 mars 2026

2 minutes de lecture

Certificate and Management streamlines your TLS certificate processes, offering benefits such as improved efficiency and enhanced security. Automating certificate management ensures timely renewal of certificates, which minimizes the risk of expired certificates.

Avant de commencer

To use the Microsoft Certificate Authority automated flow, you must install the ServiceNow IntegrationHub Action Step - PowerShell plugin and must have an Integration Hub subscription. See Integration Hub usage and subscription for more information.

Role required: pki_admin or admin

Procédure

Set the system property sn_disco_certmgmt.cert_task_default_approval_group to the default Approval Group name.
If the certificate request moves into manual mode, the approval group name is the default group used. For instance, the default group is used if there's no matching policy or more than two matching policies. You can add more than one approval group, separated by commas. The first group on the list, which belongs to the task domain, is used for approval. If no domain-specific group is found, the first name in the global domain list is used.
To set the validity period of the certificate order, update the system property sn_disco_certmgmt.default_cert_order_validity_period.
The default is 730 days (2 years).
Add the IP of the Microsoft CA Server.
- Add the ca_host_ip field of the routing policy.
- Add the IP of an intermediate server in ca_host_ip field of the routing policy.
The intermediate server can be any Windows server in the same domain as the Microsoft CA Server, and has access to the certutil and certreq commands available on Powershell. When an intermediate server is used, the MID Server executes a Powershell script on the intermediate server using Invoke-Command. This command uses a Remote Procedure Call (RPC) to run the certutil and certreq commands on the CA Server.
Create the certificate credential and map it to the credential alias.
Each credential should map using a unique credential alias. For more information, see Credential alias for Discovery.
Confirm the Certificate and Certificate URL information are in the Certificate Authority [sn_disco_certmgmt_ca] and Certificate Authority API URL [sn_disco_certmgmt_ca_api_url] tables.
The default URL for DigiCert and Entrust CA Gateway provide all validation type URLs. You can also add additional URLs.
Set the task priority.

The change requests priority and type are mapped based on the priority of the task. Change requests have the same priority as a task priority, except a change request doesn’t have P5 so in this case it's mapped to P4.

To change the type of change requests, the change management property com.snc.change_management.change_model.type_compatibility must be set to true. The default is False.
1. If needed, set the task and change the system property sn_disco_certmgmt.default_cert_task_priority to configure New and Renew task priorities.
  The priority defaults to P3. The possible values are 1, 2, 3, 4, 5. If the value is 1, the priority sets to P1, and so on. If any invalid value is provided, the priority resets to the default of P3.
2. If needed, set the task and change the system property sn_disco_certmgmt.default_revoke_cert_task_priority to configure Revoke task priorities.
  The priority defaults to P1. The possible values are 1, 2, 3, 4, 5. If the value is 1, the priority sets to P1 and so on. If any invalid value is provided, the priority resets to the default of P1.
Facultatif : Install the Integration hub plugin [com.glide.hub.integrations].

The [com.glide.hub.integrations] plugin isn't required for requesting the DigiCert or Entrust CA Gateway Certificate and tracking the certificate order status. However, if you want to debug the certificate subflow actions or add your own customization flow for DigiCert or Entrust CA Gateway, install this plugin.