Certificate generation through Cert-Manager Integration

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Certificate generation through Cert-Manager Integration

This integration enables ServiceNow customers to request and manage certificates in a Kubernetes environment using the cert-manager tool combined with the ServiceNow External Issuer (sn-external-issuer). Certificates and their associated data are securely stored within Kubernetes secrets, facilitating automated certificate lifecycle management directly linked to ServiceNow tasks.

Show full answer Show less

Deployment Requirements

Ensure cert-manager is deployed in your Kubernetes cluster.
Customize the manager.yaml or values.yaml files with essential details such as your ServiceNow Instance URL, Certificate Owner Group, Certificate Owner, Environment, and Renewal Tracking information.
Deploy the ServiceNow External Issuer (sn-external-issuer) in Kubernetes.
Create a Kubernetes secret named clusterissuer-servicenow-credentials containing your ServiceNow instance username and password. The user must have roles necessary to request certificates.
The ServiceNow External Issuer supports amd64 architecture and Kubernetes version 1.33.3 or later.

ServiceNow External Issuer Functionality

The ServiceNow External Issuer acts as an extension to cert-manager, enabling certificate requests through ServiceNow APIs. It tracks certificate tasks by storing their IDs locally and on the ServiceNow instance. It continuously polls the instance for task status, triggers certificate issuance in cert-manager, and upon completion, downloads the generated certificate to update Kubernetes secrets accordingly.

Deployment Steps

Download the Helm Chart or YAML package for the ServiceNow External Issuer from your ServiceNow instance.
Customize configuration files (manager.yaml or values.yaml) as needed.

Create the Kubernetes secret for credentials using the command:

kubectl create secret generic clusterissuer-servicenow-credentials --from-literal=user=<username> --from-literal=password=<password> -n system

Apply Kubernetes resources and deploy the External Issuer by running:

kubectl create ns systemkubectl apply -f crdkubectl apply -f rbackubectl apply -f issuerskubectl apply -f manager/manager.yaml

Verify the ServiceNow External Issuer deployment is running successfully.

Requesting a Certificate

After deployment, submit a certificate resource manifest (e.g., certificateclusterissuer.yaml) specifying:

issuerRef referencing the ServiceNow ClusterIssuer
Details such as commonName, dnsNames, and secretName to store the certificate

A sample certificate resource includes the following key sections:

apiVersion: cert-manager.io/v1kind: Certificatemetadata: name: certificate-by-clusterissuerspec: commonName: certificate-by-clusterissuer.servicenow.com secretName: certificate-by-clusterissuer dnsNames: - servicenow.com - foo.servicenow.com issuerRef: name: clusterissuer-servicenow group: servicenow-issuer.servicenow.com kind: ClusterIssuer

Apply the certificate resource with:

kubectl apply -f certificateclusterissuer.yaml

This triggers the certificate request workflow integrated between cert-manager and ServiceNow. The certificate is issued, tracked, and securely stored within Kubernetes for your applications to use.

Request a certificate through Kubernetes cert-manager using the ServiceNow External Issuer (sn-external-issuer) and save the certificate and its related information securely within the Kubernetes cluster as a secret. In Kubernetes, a secret is an object that allows you to store and manage sensitive information, such as passwords, API keys, and certificates.

For information on building an external issuer, see Building and Deploying External Issuer For Certificate Management [KB1435392].

Deployment Requirements

Deploy cert-manager in your Kubernetes environment. Update manager.yaml with Instance URL, Certificate Owner Group, Certificate Owner, Environment, and Renewal Tracking.
Deploy the ServiceNow External Issuer (sn-external-issuer) in your Kubernetes environment. Create a Kubernetes secret clusterissuer-servicenow-credentials with the instance username and password, ensuring the user has the necessary roles to request a certificate.
The ServiceNow External Issuer supports amd64 architecture along with the latest version of Kubernetes, 1.33.3.

ServiceNow External Issuer (sn-external-issuer)

External issuers expand cert-manager functionality to issue certificates through non-core APIs and services.
The ServiceNow External Issuer is a ServiceNow-specific implementation of an External Issuer.
When a new certificate task is created, its Certificate Request UID and Certificate Task Sys Id are stored in the local JSON cache and the Certificate Request UID to Task Map table on the instance.
The ServiceNow External Issuer polls the instance to monitor the status of the certificate task.
If the certificate task is in the Work in progress state, its Certificate Request UID and Certificate Task Sys Id are added to the External Issuer UID Map table on the instance and the local JSON cache. During this time, Cert-manager automatically attempts to request the certificate.
Upon receiving a certificate request, Cert-manager checks for a matching task in the local JSON cache. If found, it polls the same task; otherwise, it queries the instance for records from the External Issuer UID Map table and populates the local JSON cache.
Once the task is marked as complete and the certificate is generated, the ServiceNow External Issuer sends another request to the instance, downloads the certificate attachment, and updates the certificate resource and corresponding secret in Kubernetes.

Deploying the ServiceNow External Issuer in Kubernetes

Deploying the ServiceNow External Issuer in Kubernetes involves the following steps:

From the ServiceNow instance download page, obtain the Helm Chart or YAML zip package.
Customize the manager.yaml or values.yaml files as needed for your specific use case. These files may include essential information such as the Instance URL and Certificate Owner Group.
Create a Kubernetes secret named clusterissuer-servicenow-credentials with the instance username and password.
Example command:
- Create a Kubernetes secret named clusterissuer-servicenow-credentials with the instance username and password. Example command:
```
kubectl create secret generic clusterissuer-servicenow-credentials
              --from-literal=user=<user_name> --from-literal=password=<password> -n
            system
```
- Ensure that the user has the necessary roles to request certificates.

Execute the following commands for deployment.

kubectl create ns system
kubectl apply -f crd
kubectl apply -f rbac
kubectl apply -f issuers
kubectl apply -f manager/manager.yaml

(Optional) Customize any additional configurations in the files to suit your specific requirements.
Ensure that the deployment is successful and the ServiceNow External Issuer is up and running.

Request a certificate flow

After deployment, submit a certificate resource with the following information in a file named certificate_clusterissuer.yaml.

issuerRef : clusterissuer-servicenow
issuer : issuer-servicenow
kind : ClusterIssuer
issuerRef : servicenow-issuer.servicenow.com

Here's a sample Certificate Resource:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: certificate-by-clusterissuer
spec:
commonName: certificate-by-clusterissuer.servicenow.com
secretName: certificate-by-clusterissuer
dnsNames:
- servicenow.com
- foo.servicenow.com
issuerRef:
name: clusterissuer-servicenow
group: servicenow-issuer.servicenow.com
kind: ClusterIssuer

Apply the certificate resource using kubectl apply -f certificate_clusterissuer.yaml