Mutual authentication establishes trust by exchanging secure sockets layer (SSL) certificates.

Before connecting to a server, the client requests an SSL certificate. The server responds by requesting that the client send its own certificate. Both respond by validating the certificates and sending acknowledgments before initiating an HTTPS connection.


This article outline the steps required to set up mutual authentication.

Observe that this feature only enables mutual authentication on outbound https connections.



The following steps can be executed to setup the mutual authentication: 

A) Creating the Key Store 
1. Genarate a new Keystore and key pair. 
2. Generate a CSR (Certificate Signing Request) for the existing Java keystore. Use your own domain for this certificate request. 
3. Import a root or intermediate certificate authority CA certificate to an existing Java keystore . 
4. Import the signed primary certificate to the Java keystore. 
- CA authority may provide specific instructions about what to include in the keystore. 
- Keep record of your Keystore password and certificate alias. 

B) Setting up the Key Store record in ServiceNow. 
Role required: admin 
1. On the System Definition > Certificates page, click New and set the following fields: 
- Enter a  Name. 
- Set Type = Java Key Store. 
- Set the key store as Active. 
- Provide a Key store password (the one used to create the keystore). 
2. Attach the keystore file to the record. 
3. Click Submit to create the Java Key Store entry. 

C) Specifying a Trusted Server Certificate (this is your 3rd party certificate). 
Role required: admin 

1. Navigate to System Definition > Certificates. 
2. Click New and provide: 
- A record a name 
- Set the Type field to be "Trust Store Cert". 
- If the certificate provided by the 3rd party is in PEM format, set the Format field to PEM and paste the PEM string into the PEM Certificate field on the record. 
- If the certificate provided by the 3rd party is in DER format, set the Format field to DER and just attach the certificate file to the record. 
3. Click on Submit. 

D) Create a protocol profile 
Role required: admin 

1. Navigate to System Security > Protocol Profiles. 
2. Click New. 
- Enter a unique name to identify this protocol, such as myhttps ( this name cannot be http). 
- Enter the protocol communication port (443 for SSL). 
- Select the Keystore Record created on B) above. 
3. Save the record. 

E) Enable mutual authentication 
Role required: web_service_admin or admin 

1. Navigate to System Web Services > SOAP Message or System Web Services > REST Message. 
2. Select a message record. 
3. Select the Use mutual authentication check box. 
4. In the Protocol profile field, select a protocol profile configured on D) above for mutual authentication. 
5. Click Update. 
Test your web service, the Mutual Authentication should allow the web service to complete the call.

Applicable Versions

Helsinki, Jakarta, Kingston

Additional Information


Documents used to outline solution:
Setting up mutual authentication
Outbound web services mutual authentication
Create a protocol profile
Enable mutual authentication
Blog that explains the concepts. Detailed steps do not apply to ServiceNow releases Helsinki, Jakarta, and Kingston.

Article Information

Last Updated:2019-05-21 11:53:00