SSL/TLS encryption on instances 


Protecting the security and privacy of our customers is among our top priorities, so ServiceNow utilizes SSL/TLS to encrypt communications for all customer instances. In order to continue to provide best-in-class protection, we are upgrading our SSL/TLS encryption.
We are making this change because SSL certificates signed with the SHA1 algorithm have been known for some time to contain security weakness that could lead to the unintentional disclosure of sensitive information if compromised. An industry-wide effort (led by Google, Microsoft, and others) is forcing the timeframe for sun-setting the use of this older technology.
In addition to the technical change, ServiceNow is leveraging this opportunity to increase the frequency at which we rotate SSL certificates. A shorter lifespan for SSL certificates reduces our exposure window and also gives us greater flexibility to deal with unforeseen security issues. Since so many recent headlines have featured exposures in the SSL protocol and the surrounding technologies (Heartbleed, POODLE, root CA compromises, unauthorized disclosures) ServiceNow views this as a necessary step in order to stay ahead of current and future threats.
Please see the attached PDF for FAQs about SSL certificate changes.


Changes to SSL certifications
The following changes occur when we upgrade our SSL/TLS encryption:
  • The SSL certificate used by ServiceNow, https://*, was upgraded to a “SHA-2” certificate in October 2015. This change was phased in across datacenters. As a lead up to this change, ServiceNow provided an interim SHA-1 SSL certificate that expired in December 2015. The interim certificate gave customers additional time to plan for the transition.
  • ServiceNow will increase the cadence at which our SSL certificate is rotated (currently every 6 months), and will continue to provide 14-day notification of this activity. This is an industry best practice, enables ServiceNow to provide improved security for our customers, and allows us to react more quickly to the changing threat landscape. A routine change includes, but is not limited to, any change not materially affecting the technical nature or performance of the certificate. Examples are:
    • replacing the certificate with a new expiration date
    • revoking outdated certificates
    • adding a feature such as an additional server name or supported ciphersuite

    • Note: Events that may trigger a notification include, but are not limited to, a change in Root CA providers or disabling a feature or supported algorithm.


  • ServiceNow will no longer provide advance copies of our SSL certificate to customers. Customers should trust the Root Certificate provided by our certificate vendor, Entrust.

    A small number of users may be affected by the change to a new certificate and rotation process. ServiceNow is making every effort to identify and work with customers who have been affected by this type of change in the past. We will continue to provide information and tools to assist with this transition.
Determining if your instance is affected by this change
All customers utilizing the ServiceNow web application use the new SSL certificate, but for the most part, this is a transparent change.
The only customers likely to require manual intervention are those who have integrations, caching, or proxy servers that use a hard-coded ServiceNow SSL certificate.
  • Some inbound integrations (services connecting to your ServiceNow instance) may have the current SSL certificate hard-coded. You can view integrations that may be affected on the List of Available Integrations. Contact the service owner of any integration that connects to your ServiceNow instance to verify that it will properly handle the SSL certificate change.
  • If you access your ServiceNow instance using a URL similar to https://<instance>, you are likely not affected. If you access your ServiceNow instance by a different URL, you most likely access the instance through a proxy. Please contact your IT department or network administrator to verify that the proxy can handle the SSL certificate change properly.
Normal web browsers like Internet Explorer, Firefox, Chrome, or Safari are not affected.
Preparing for SSL certificate upgrade
  • Use updated web browsers and maintain software patch levels.
  • Read the information provided by ServiceNow and communicate this change to any members of your organization who could be affected.
  • Use the SHA-2 SSL certificate anchored to the Entrust (our 3rd party Certificate Authority) G2 Root. SSL certificate information and all parts of the SSL certificate chain (such as metadata names and spelling, subject alternative names, wildcards, and root CA providers and types) can change. ServiceNow recommends not hardcoding the ServiceNow certificate. Hardcoded certificates will likely cause interrupted access during a certificate change.
Receiving Notifications About Changes to the Root CA
ServiceNow uses Entrust as our 3rd party Certificate Authority (CA). The * SHA-2 SSL certificate is anchored to the Entrust G2 Root that expires December 7, 2030. Entrust has indicated that there are no planned changes to the root hierarchy and if one does occur, ample notice will be provided before any changes are made that could impact the validity of the Root CA.
Obtaining Help for SSL Certificate Changes
If you believe there is a problem with the SSL certificate change, please contact ServiceNow Customer Support.

SSL Certificates

If you have determined that your instance is impacted by the SSL certificate change, use this certificate information to resolve any issues.


Root CA certificate post-October 2015

Subject: C=US, O=Entrust, Inc., OU=See, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2

Issuer: C=US, O=Entrust, Inc., OU=See, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G


Root Certificate Authority - Entrust Root Certification Authority - G2

Subject: C=US, O=Entrust, Inc., OU=See, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2

Issuer: C=US, O=Entrust, Inc., OU=See, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2


  Not Before: Jul  7 17:25:54 2009 GMT

  Not After : Dec  7 17:55:54 2030 GMT

Serial Number: 1246989352 (0x4a538c28)

SHA1 Fingerprint=8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4



























Note that the * SSL certificate and associated Entrust chain certificates are subject to change and not provided here. If you need more information, please contact ServiceNow Technical Support.

Article Information

Last Updated:2019-08-02 21:25:47
SSL_Certificate_Changes FAQ.pdf