MID Server certificate check policies

  • Release version: Australia
  • Updated March 12, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MID Server certificate check policies

    MID Server certificate check policies enhance security by controlling how the MID Server validates external HTTPS traffic. These policies govern TLS/SSL certificate validation, hostname validation, Certificate Revocation List (CRL), and Online Certificate Status Protocol (OCSP) checks. Together, they ensure secure, authenticated communication between the MID Server and external endpoints including ServiceNow instances, internet sites, and internal networks.

    Show full answer Show less

    Key Features

    • TLS/SSL Certificate Validation: Ensures encrypted communication by verifying the authenticity of server certificates using asymmetric encryption (public/private keys).
    • Hostname Validation: Confirms the server identity by matching the hostname in the certificate with the requested URL, preventing man-in-the-middle attacks. Requires prior successful TLS certificate validation.
    • Online Certificate Status Protocol (OCSP): Checks certificate revocation status in real-time by querying the certificate authority's OCSP responder before continuing communication.
    • Certificate Revocation List (CRL): Downloads and caches lists of revoked certificates locally to verify certificate status without needing live OCSP queries. Essential for CAs like Let’s Encrypt that have deprecated OCSP.
    • Security Policies: MID Server supports four certificate check policies:
      • ServiceNow endpoint policy: Default for ServiceNow URLs, updated automatically after initial connection.
      • Internet policy: Covers HTTPS connections to internet endpoints.
      • Intranet policy: Controls HTTPS connections within reserved internal IP ranges; defaults to disabled checks on upgrades but should be enabled for improved security.
      • Overridden policy: Highest precedence for specific endpoints or URLs to customize validation rules.
    • Configuration Control: Certificate validation checks and IP ranges can be customized per policy to balance security and connectivity needs.
    • Instance Security Policy Usage: Controlled by the mid.ssl.use.instance.security.policy parameter, allowing synchronization of MID Server policies with instance-defined settings or retaining bootstrap defaults for setup flexibility.

    Practical Considerations for ServiceNow Customers

    • Enable all certificate validation checks to maximize security, especially for intranet endpoints which require valid CA-signed certificates.
    • For self-signed certificates, import them into the MID Server trust store or disable hostname and certificate validation as appropriate.
    • After upgrading to Quebec or later, review and adjust policies in the certificate check policies table to meet your security requirements.
    • Configure the mid.ssl.bootstrap.default.targetendpoint parameter for self-hosted or on-premise instances to specify the instance’s fully qualified domain name (FQDN).
    • Understand that insecure connections will be blocked with error messages when policies are enforced, helping to quickly identify certificate-related issues.

    Related Configuration and Security Features

    • MID Server authentication credentials and unified key store management
    • Integration with Azure Key Vault and mutual authentication
    • Audit logging and FIPS enforced mode for compliance
    • Management of SSL certificates and external trust stores
    • Configuration file encryption and cryptographic algorithm options

    These policies empower ServiceNow customers to maintain robust, secure communications from the MID Server to all external endpoints, reducing risks from compromised certificates and man-in-the-middle attacks, while providing flexibility to accommodate diverse network environments.

    MID Server uses four kinds of security checks to secure external traffic. The security checks use TLS/SSL certificate validation, hostname validation, Certificate Revocation List (CRL), and Online Certificate Status Protocol (OCSP) validation to improve security. Control these security checks with the MID Server certificate check policies table.

    Set-up indicator for security phaseEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server securityEnsure that the MID Server can connect to elements inside and outside your networkDownload and install the MID Server on a Linux or Windows hostConfigure your MID ServerConfigure MID Server security

    TLS/SSL certificate validation

    TLS/SSL encryption security uses asymmetric encryption, also called public-key encryption. This encryption uses two cryptographic keys: the public key and the private key. The public key is used for encryption of data and is publicly visible. The private key is used for decryption of data and its security is essential to verifying authenticity.

    In TLS/SSL certificate validation, the MID Server attempts to connect to a web server secured with a TLS or SSL certificate. The web server sends a copy of its TLS/SSL certificate to the MID Server. The MID Server checks the authenticity of the certificate and sends a message to the webserver. The webserver responds with a digitally signed acceptance for initiating an TLS/SSL encrypted session. After which the MID Server can begin encrypted communication with the web server.

    Hostname validation

    Hostname verification is a part of HTTPS that involves a server identity check to ensure that the client is talking to the correct server. This check prevents sending information to a server after being redirected by a man in the middle attack.

    The check involves verifying that the dnsName of the certificate sent by the server matches the URL used to make the request. According to RFC 6125, hostname verification should be done against the certificate's subjectAlternativeName's dNSName field. In some legacy implementations, the check is done against the certificate's commonName field. If the names don't match, the connection is terminated.

    Note:
    Hostname validation derives the hostname from the validated certificate presented by the server. Therefore, TLS certificate validation is a pre-requisite for hostname validation.

    Online Certificate Status Protocol (OCSP)

    OCSP involves contacting the remote certificate authority server and verifying the certificate before the MID Server communicates further with the target server. Compromised certificates can be a security vulnerability, especially if those certificates have the ability to sign other certificates. If certificates have been broken or forged, then a certificate authority can inform a client which certificates are invalid and should not be used.

    An OCSP responder (a server typically run by the certificate issuer) returns a signed response that the certificate is 'good', 'revoked', or 'unknown'. If it cannot process the request, it may return an error code.

    The certificate's issuer may delegate another authority to be the OCSP responder. This creates a chain of certificates that must be verified. The responder's certificate must be issued by the issuer of the certificate in question. The responder’s certificate must include a certain extension that marks it as an OCSP signing authority.

    Note:
    OCSP checks are secondary HTTP calls made to an OCSP responder. The primary call may discontinue the connection based on the response from the OCSP responder.

    Certificate Revocation List (CRL)

    CRL checking provides an alternative to OCSP for verifying certificate revocation status. Rather than querying a live OCSP responder, the MID Server downloads and caches Certificate Revocation Lists (CRLs) from URLs provided by the Certificate Authority (CA). The MID Server then checks the revocation status of certificates against the locally cached CRL during the SSL/TLS handshake. If a certificate appears on the CRL, the MID Server rejects the connection and logs the event.

    CRLs are cached locally and updated periodically based on the CA's update schedule. If a CRL download fails, the system retries according to a configurable retry policy.

    Note:
    As of May 7, 2025, Let's Encrypt no longer includes OCSP URLs in issued certificates and has deprecated its OCSP responders in favor of CRLs, following the CA/Browser Forum ballot SC-063, which made OCSP optional for Certificate Authorities and mandated CRL support. CRL checking ensures continued certificate revocation validation for certificates issued by CAs that no longer support OCSP.

    MID Server security policy

    MID Server security policies control all HTTPS traffic originating from the MID Server. This includes HTTPS connections from the MID Server to an internet endpoint, ServiceNow URLs, intranet endpoints, as well as cloud endpoints.

    Certificate Check Policies

    These connections can be further classified into 4 security policies:

    ServiceNow endpoint policy
    This policy is the system default exclusively for ServiceNow URLs. On the MID Server config.xml, there are bootstrap properties which are only used to make first connection to the instance and will get updated with the system_default policy.
    Internet policy
    These policies cover all HTTPS connections initiated from MID Server to any endpoint on the internet.
    Intranet policy
    These policies cover the reserved IP subnets, such as self-hosted networks.
    Overridden policy
    You can override specific endpoints or URLs with this policy definition. Overridden policies take the highest order of precedence during operation.

    Both tables are editable to include or exclude IP ranges, as well as control what kind of certificate validation checks need to be done. Enable all certificate validation checks to maximize security. The Quebec version has all policies and checks turned on by default for fresh installations.

    For upgrading customers, the intranet policy has the certificate validation checks disabled by default. To improve security, configure and enable the policy for endpoints within the internal network.
    Note:
    Internal endpoints or URLs need to possess a valid CA signed certificate for a successful connection.

    For endpoints that host a self-signed certificate, either import the certificate to the MID Server trust store or disable the policy checks which validate that host. For more information about adding certificates, see Add SSL certificates for the MID Server.

    After upgrading to Quebec, go to the certificate check policies table and make changes to policy configuration if necessary. Once the MID Server starts up and connects to the instance, any subsequent HTTPS connection originating from the MID server will start applying these certificate checks at runtime. Insecure connections are broken with appropriate error messages.

    Use Instance Security Policy

    The MID Server configuration parameter mid.ssl.use.instance.security.policy controls whether the MID Server uses its bootstrap parameters rather than the security policy from the instance. By default, mid.ssl.use.instance.security.policy is set to false in the config.xml so the bootstrap policies are not overwritten by the instance's.

    This default setting can prevent some problems during MID Server setup. For example if the host is unable to reach the OCSP responder, then a new MID Server installation is not disrupted by an instance's policy of requiring OCSP connection.

    The configuration parameter mid.ssl.use.instance.security.policy can be set for each MID Server. When set to true, the MID Server syncs all policies with the instance and the bootstrap configuration parameters are overwritten by the *.servicenow.com policy on the instance mid_cert_check_policy table. The final policies update the policy map in the MID Server memory as well as the config.xml.

    The default parameters in the config.xml are:
    • <parameter name="mid.ssl.bootstrap.default.check_cert_hostname" value="true"/>
    • <parameter name="mid.ssl.bootstrap.default.check_cert_chain" value="true"/>
    • <parameter name="mid.ssl.bootstrap.default.check_cert_revocation" value="false"/>
    • <parameter name="mid.ssl.use.instance.security.policy" value="false"/>

    Self-hosted or on-prem instances must add the following parameter for the config.xml: <parameter name="mid.ssl.bootstrap.default.target_endpoint" value="FQDN_OF_THE_INSTANCE"/>