Introducing the 2024 PKI & Digital Trust Report     | Download the Report

  • Home
  • Blog
  • DevOps
  • Self-Service Certificate Automation: Keyfactor & ServiceNow

Self-Service Certificate Automation: Keyfactor & ServiceNow


Across today’s IT landscape, every team needs constant access to IT services and infrastructure to move fast without disruption. This has created a pressing need to effectively manage all of the components that make up an organization’s technology backbone. That’s where ITSM solutions come in.

ITSM (short for IT service management) involves everything from service requests and change management to fixing IT incidents when they arise – basically any IT service that an enterprise delivers to its end-users and customers.

ServiceNow is a leading ITSM solution built to deliver these services from a single platform – providing a reliable process for requesting assets and a workflow engine to approve and process those requests.

One of the most critical assets that an enterprise must manage is SSL/TLS certificates used to secure connections and protect sensitive data. DevOps and IT operations need fast access to certificates for their day-to-day operations, but PKI and security teams often struggle to keep pace with requests. Even more challenging is the task of keeping track of certificates (i.e. owner, location, expiry, algorithm, etc.) and renewing them before they expire.

The old-fashioned management by spreadsheet (still widely used today) just isn’t effective, particularly in today’s multi-cloud and container environments where certificate requests reach into the thousands. ServiceNow is ideally suited to build processes and workflows for this large volume of certificate requests, but organizations still need a way to effectively manage certificates throughout their lifecycle.

Keyfactor + ServiceNow

Enter Keyfactor Command. The platform enables enterprises to discover, monitor and automate the lifecycle of keys and certificates across their environment– from request intake to issuance, deployment, revocation and renewal. But for organizations leveraging ServiceNow, it often makes more sense for end users to request certificates from the same application they use for all other IT-related workflows.

That’s why many our customers integrate Keyfactor Command with their ServiceNow platform – providing users with simple self-service workflows to perform certificate-related tasks such as requests, revocation and renewal right from the ServiceNow interface.

Our API-first architecture makes it easy to extend the functionality of Keyfactor Command to the ServiceNow API framework. Because ServiceNow has the ability to embed external REST API calls into any workflow, Keyfactor can allow authenticated access to its robust API library. The platform also leverages certificate lifecycle event handlers to trigger workflows within ServiceNow based on changes in certificate status (e.g. pending expiration).

Below are two common certificate management processes made simple by integrating the Keyfactor certificate lifecycle automation engine with the ServiceNow ITSM platform.

Certificate Requests

The most common task in certificate management is the request, approval, issuance and delivery of certificates to users or applications. These certificates could be issued from a public certificate authority (CA), bound to a website for SSL authentication, or from an internal CA, and used for server authentication on the internal network. In either case, organizations need to facilitate the ability for: (1) users to request a certificate, (2) authorized users to approve the request, (3) the certificate to be issued, and (4) the certificate to be delivered and deployed.

Here’s how it works with Keyfactor + ServiceNow:

  • Request: ServiceNow enables users to build highly customizable request forms to request a certificate. This could include the certificate signing request (CSR) that a user creates and pastes directly into the form, or perhaps enough information is entered directly into the form for Keyfactor to generate a certificate with public and private keys (referred to as a PFX request).
  • Approval: ServiceNow requests can be set up to trigger workflows for approval as well. A specific user or group will receive a pending approval in their queue and either reject or approve the request. However, if the request contains a CSR, how do they know what they’re approving? That’s where one of the many Keyfactor API calls can help. A ServiceNow workflow can include a task to call the Keyfactor API and retrieve the contents of the CSR, providing more detail for the approver.
  • Issuance: After approval, the ServiceNow workflow can call the appropriate Keyfactor API (CSR or PFX Enrollment) to issue the certificate from any internal of public CA configured in Keyfactor Command.
  • Delivery: There are several options for certificate delivery and deployment. The Keyfactor Enrollment API can return the public portion of the certificate to ServiceNow, which can then update the request for additional workflow processes. Keyfactor can also completely automate the deployment and binding of certificates to certificate stores on network endpoints like IIS, F5, Citrix ADC, Java Keystore, and more. For PFX enrollment, a download link can be sent via email to enable the user to securely retrieve the certificate and private key.

Certificate Renewal

Every certificate expires. To stay ahead of outages, organizations need to eliminate manual, error prone processes and automate the renewal of certificates across their environment.

Here’s how Keyfactor + ServiceNow make it simple:

  • Alert: Using Keyfactor’s Event Handlers, alerts can be configured to notify certificate owners via email when a certificates is about to expire. These alerts can also automatically trigger a new incident or request in ServiceNow, routing it to the responsible person or group.
  • Approval: The ServiceNow workflow can include an approval step, if necessary, so the approver can determine if the certificate needs to be renewed, or if the application or device using the certificate is no longer in operation, and the request can be rejected (allowing the cert to expire).
  • Renewal: After approval, ServiceNow calls into the Keyfactor API to renew the certificate automatically.
  • Optional: Additional alerts can also be configured in the Keyfactor platform to notify others if the certificate has not been renewed after the initial alert.

Why Keyfactor + ServiceNow

To protect sensitive data and securely connect the devices, machines and applications across our infrastructure, enterprises increasingly depend on digital certificates. In today’s dynamic, multi-cloud environments, where IT resources are now provisioned at blinding speed, it is more critical than ever to have a quick and reliable process to manage certificates at scale.

Keyfactor and ServiceNow provide the tools to enable users with fast, self-service access to certificates when they need them, while ensuring that every certificates is trusted, compliant and up to date.