Mutual Authentication Profile with an error does not overwrite the last working ProfileDescription When creating Outbound REST or SOAP messages, if the assigned Mutual Authentication Profile is not valid, it is not used. Instead the last working configuration is used. Steps to Reproduce To reproduce the problem please: Create an Outbound REST/SOAP Message with Mutual AuthenticationAssociate a working Protocol Profile, called for example working_profile, and then test if it worksAssociate a not working Protocol Profile, called for example wrong_profile, and testing you observe:*** ERROR *** Exception while registering protocol: wrong_profile Error: Cannot recover key *** ERROR *** REST Msg Outbound - RESTMessageClient : Error executing REST request: unsupported protocol: 'wrong_profile' This is because it is using the working_profile instead. Workaround To resolve the issue, fix the Mutual authentication profile. Here is a list of the common fixes: Problem Solution The keystore fails and it is not loaded because the passwords for the Keystore and Private Key do not match. These must match. Make the Keystore and Private Key password match. The Mutual Authentication profile has been changed. Clear the cache, execute /cache.do The keystore is incorrectly created. Follow these steps: Needed from the 3rdParty application: The signed certificate for the ServiceNow instance. servercert.pemThe private key for point A. serverkey.pem Follow these steps: Create the JKS file for the ServiceNow instance: Create a PKCS 12 file using 1 and 2 openssl pkcs12 -export -in [path to certificate\servercert.pem] -inkey [path to private key\serverkey.pem] -certfile [path to certificate\servercert.pem] -out keystore.p12 - define a password for the p12 file. Create a Java Key Store (JKS) using keytool command: keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore javakeystore.jks -deststoretype JKS Obtain with the above the javakeystore.jks file. You can also change password of private key by doing: keytool -keypasswd -alias [Alias name for private key] -keystore [path to key store] Or the alias of the private key by doing: keytool -changealias -keystore [path to key store] -alias [current alias] With javakeystore.jks keystore, upload it to the Certificates entry in the instance. 2. With this keystore, generate the Public Certificate by doing the following: keytool -export -alias snclient -keystore javakeystore.keystore -storepass abc123 -file publiccert.cer The third party should upload publiccert.cer to their truststore. Related Problem: PRB1057051