Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Debugging Mutual Authentication - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Debugging Mutual Authentication
KB0696599

Debugging Mutual Authentication


6946 Views Last updated : Apr 6, 2023 public Copy Permalink
KB Summary by Now Assist

Issue

Mutual Authentication Debugging


Please follow these steps when debugging Mutual Authentication:

  1. Validate protocol profile is setup correctly, e.g "myhttps" and port is "443"
  2. Convert the given format of the keystore to p12.
    • From pfx to p12:
      • keytool -importkeystore -destkeystore newCustomer.p12 -deststoretype pkcs12 -srckeystore "name.pfx"
  3. Extract public cert from this P12:
    • keytool -export -alias "<alias_from_p12>" -keystore newCustomer.p12 -rfc -file publicCert.cert
  4. Extract private key from this P12:
    • openssl pkcs12 -in newCustomer.p12 -nodes -nocerts -out private.pem # alterantively run this to see full output, if no "-----BEGIN PRIVATE KEY" line is seen then the private key is missing and the customer needs to regenerate a new key pair following our documentation:  openssl pkcs12 -info -in newCustomer.p12 -nodes -nocerts
  5. Try connecting via OPENSSL:
    • openssl s_client -connect <Destination_IP>:<PORT> -msg
  6. Use the Private key and validate if OPENSSL is working correctly:
    • openssl s_client -showcerts -connect <Destination_IP>:<Port> -key private.pem
  7.  Leverage Public and Private keys via Curl to validate if the 3rd party is configured correctly:
    • curl <API_Point>:<port> -v -H "Content-Type:application/json" -d --key private.pem:<password>

Before continuing, make sure steps 6 and 7 have a satisfactory result. If any of the previous steps fail, it means the configuration at the 3rd party is not correct and there is no need to debug at ServiceNow yet. Once this is working, start configuring ServiceNow for Mutual Auth:

  1. Add Target's public certificate as a trusted cert in the given keystore and attach it to the protocol profile in ServiceNow.
When running the test on a REST method and it shows https:// instead of the custom protocol name (which should be <8 characters and lower alphabetic letters only), ensure that the end point on the REST outbound message uses the custom protocol and has mutual authentication checked. At least in Quebec it seems to be taking the custom protocol from the message, rather than the method. If you get unexplained errors with connection refusal, set the mutual authentication checkbox on the message only, not the method.

Additional information


Mutual Authentication - Overview
Steps to set up Mutual Authentication: Keys

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.