SSL/TLS encryption on instancesDescriptionProtecting the security and privacy of our customers is among our top priorities, so ServiceNow utilizes SSL/TLS to encrypt communications for all customer instances. In order to continue to provide best-in-class protection, we are upgrading our SSL/TLS encryption. We are making this change because SSL certificates signed with the SHA1 algorithm have been known for some time to contain security weaknesses that could lead to the unintentional disclosure of sensitive information if compromised. An industry-wide effort (led by Google, Microsoft, and others) is forcing the timeframe for sun-setting the use of this older technology. In addition to the technical change, ServiceNow is leveraging this opportunity to increase the frequency at which we rotate SSL certificates. A shorter lifespan for SSL certificates reduces our exposure window and also gives us greater flexibility to deal with unforeseen security issues. Since so many recent headlines have featured exposures in the SSL protocol and the surrounding technologies (Heartbleed, POODLE, root CA compromises, unauthorized disclosures) ServiceNow views this as a necessary step in order to stay ahead of current and future threats. Changes to SSL certifications The following changes occur when we upgrade our SSL/TLS encryption: ServiceNow will increase the cadence at which our SSL certificate is rotated (currently every 6 months), and will continue to provide 14-day notification of this activity. This is an industry best practice, enables ServiceNow to provide improved security for our customers, and allows us to react more quickly to the changing threat landscape. A routine change includes, but is not limited to, any change not materially affecting the technical nature or performance of the certificate. Examples are: replacing the certificate with a new expiration daterevoking outdated certificatesadding a feature such as an additional server name or supported cipher suite Note: Events that may trigger a notification include, but are not limited to, a change in Root CA providers or disabling a feature or supported algorithm. ServiceNow will no longer provide advance copies of our SSL certificate to customers. Customers should trust the Root Certificate provided by our certificate vendor, Entrust.A small number of users may be affected by the change to a new certificate and rotation process. ServiceNow is making every effort to identify and work with customers who have been affected by this type of change in the past. We will continue to provide information and tools to assist with this transition. Determining if your instance is affected by this change All customers utilizing the ServiceNow web application use the new SSL certificate, but for the most part, this is a transparent change. The only customers likely to require manual intervention are those who have integrations, caching or proxy servers that use a hard-coded ServiceNow SSL certificate. Some inbound integrations (services connecting to your ServiceNow instance) may have the current SSL certificate hard-coded. You can view integrations that may be affected in our documentation: Integration with third-party applications and data sources. Contact the service owner of any integration that connects to your ServiceNow instance to verify that it will properly handle the SSL certificate change.If you access your ServiceNow instance using a URL similar to https://<instance-name>.service-now.com/, you are likely not affected. If you access your ServiceNow instance by a different URL, you most likely access the instance through a proxy. Please contact your IT department or network administrator to verify that the proxy can handle the SSL certificate change properly. Normal web browsers like Internet Explorer, Firefox, Chrome, or Safari are not affected. Preparing for SSL certificate upgrade Use updated web browsers and maintain software patch levels.Read the information provided by ServiceNow and communicate this change to any members of your organization who could be affected.ServiceNow recommends not hardcoding the ServiceNow certificate. Hardcoded certificates will likely cause interrupted access during a certificate change. Receiving Notifications About Changes to the Root CA ServiceNow uses Entrust as our 3rd party Certificate Authority (CA). The *.service-now.com SHA-2 SSL certificate is anchored to the Entrust G2 Root that expires December 7, 2030. Entrust has indicated that there are no planned changes to the root hierarchy and if one does occur, ample notice will be provided before any changes are made that could impact the validity of the Root CA. Obtaining Help for SSL Certificate Changes If you believe there is a problem with the SSL certificate change, please contact ServiceNow Technical Support. SSL Certificates If you have determined that your instance is impacted by the SSL certificate change, use this certificate information to resolve any issues. Root CA certificate post-October 2015 Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2 Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G Root Certificate Authority - Entrust Root Certification Authority - G2 Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2Validity Not Before: Jul 7 17:25:54 2009 GMT Not After : Dec 7 17:55:54 2030 GMTSerial Number: 1246989352 (0x4a538c28)SHA1 Fingerprint=8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4 Link to ZIP FILE: star.service-now.com.crt MARCH2024.zip Leaf Certificate: -----BEGIN CERTIFICATE-----MIIGsjCCBZqgAwIBAgIQQmV1poxvFkz/U/wftrBd2jANBgkqhkiG9w0BAQsFADCBujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0yNDAxMjMyMzUwMTFaFw0yNDExMTIyMzUwMTBaMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlTYW4gRGllZ28xGTAXBgNVBAoTEFNlcnZpY2VOb3csIEluYy4xGjAYBgNVBAMMESouc2VydmljZS1ub3cuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx8DJUw7FSGBE/uKQRLRDoUDhOfRXKugGXG8VJUCDNsAZOWmr2zN12yoBtw3eOWe7rwqcikR9dEVk0sLw0dGd/240+DwLw7X0HhnulnxOCrkixaLJ2ATThVdqQJV7GVSyYccHTJ0XheN3bvyX0Hk06txMkFC8j49WfJYkNezChuM2ZCMnRNpaBgsC5VEPbXUWDXfb2H7JfEg3kRqMW0jIyYgjPujSfLUXE+3AXcBYPRE6PhwvNPvUsmvYQVnQM7/2nidWqTmWFyWFEQ++8DQkK81wr4M9c0AuzpKUJ1Lm292ELJ0dpKlOBa6DcCVNQqxUA6VMAUZe5lXOl24e1CjtxwIDAQABo4IC/jCCAvowDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUACzAf6PWobGGrKA6rfxZ6+RDLpUwHwYDVR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8waAYIKwYBBQUHAQEEXDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBggrBgEFBQcwAoYnaHR0cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hhaW4yNTYuY2VyMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxay5jcmwwRwYDVR0RBEAwPoIRKi5zZXJ2aWNlLW5vdy5jb22CD3NlcnZpY2Utbm93LmNvbYIYKi5zdGF0aWMuc2VydmljZS1ub3cuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEwYDVR0gBAwwCjAIBgZngQwBAgIwggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB1AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAABjTi7QCYAAAQDAEYwRAIgLC3eAzhnM1GrFAOFou1m+2ePL44AnCu6rD+k3vPmD9gCIDIGzKF0sKq926/VYJJeHnnHP+qJPt6IUMF1nz7q7ei8AHYAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAGNOLtAOQAABAMARzBFAiAN3x8Fc4KKcHqqln1VHcUJfrmAnlIMaB9JOZ8kxHgsuAIhAL9lR1PdI0/1FWdO/gDDexiQr61KrEuvm/sT8frGtrY7AHUA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGNOLtATwAABAMARjBEAiBQ652jLev+J7Q7AeS4LkwMNDgmPdp9ZXP1oq0rnBBDGwIgc0HKK4khgw1X8OXjXB0a44mmlx8WPkK6VDqXSZWahREwDQYJKoZIhvcNAQELBQADggEBAEhAiRnofZNwwZJi61wxpJfFN7TyribLeVmwcWXKL/Q1oBz7sohx9pCbWrGh1wWEQN9vU8w/NoflvToN29UuFugWeeQMJKcITZIPxtwIpgQU0D2ZyAEqicRrWDp5aBQmFaPZP/FCFr/ijukY7Czvwo3aE+V4cR20RQ3Inlz46dr4rGwjHTPj0DG62ZmHJwhKdnPBl42UF1bsWAE7LjAqnjjsYODU3c895Cg2OzwxF7AT+N/8ZXykYJqezflfmVsdzs0paMwUw0R5nuVbycYxkAQIV6d85lkgF2xVUykjAJhwzSCSSnypy81rgb6zuqMD3k7GCYp88P38ebJjXF6ReB0=-----END CERTIFICATE----- Note that the *.service-now.com SSL certificate and associated Entrust chain certificates are subject to change and not provided here. If you need more information, please contact ServiceNow Technical Support. Related KBs: How to determine where your data center is hosted? - KB0538621