Procedure to Add the ServiceNow SSL certificate to the Java Runtime Environment

Introduction

This procedure may be required if you are having problems connecting to your ServiceNow instance from Precision Bridge and you have checked all other possible causes.

This is the procedure for adding the Service Now SSL certificate to the Java Runtime Environment Keystore in Windows 11 OS. This procedure will first save the certificate from the web browser, then transfer it into the keystore that Java uses to validate SSL certificates.

The procedure may need to be repeated for the root certificate and any intermediate certificates to ensure that all certificates in the certificate chain exist in the Java Keystore.

Note:  if you use a proxy server that uses SSL, you may also need to install the certificate for the proxy server. Contact your Network Administrator for details on how to obtain the certificate file (.cer). Once obtained, follow steps 8 and onwards below to install it onto the Java Keystore.

You will need Administrator permissions on the machine.

These steps assume:

1. Java is installed in the default location (C:\Program Files\Java)
2. The password to the certificate keystore has not been changed from the default (changeit)

Procedure Steps:

This description refers to MS Edge, other browsers may have a slightly different procedure for exporting a certificate

1. Open a web browser and navigate to the ServiceNow login screen
2. Click the padlock next to the URL and select 'Connection is Secure'.
3. Click the certificate icon.

4. In the certificate properties window that is shown, on the Details tab. The certificate chain will be shown. There will be a hierarchy of at least 2 certificates. The example below shows a hierarchy of 3.

5. Select the service now certificate (lowest in the hierarchy) and click 'Export'

6. You will be presented with a browser, navigate to a suitable folder to save the exported certificate to (C:\Temp in this example). Select the DER encoded binary (single certificate) option. 

7. Click 'Save' to copy the certificate to this location.

8. Open a command prompt as an Administrator user (right click command prompt in the menu and select, Run as Administrator) You will be prompted to give administrator permission for this action.

9. Identify the version of Java you are using by running the command

Java -version

10. In Windows Explorer, Locate the file C:\Program Files\Java\jdk18.0.2\lib\security\cacerts. Note this path assumes Java 18.0.2, if you identified a different Java version in step 5, use this instead.

If you're not sure where your version of Java is installed you can check by opening the Java console from the start menu (Programs-> Java->Configure Java). On the Java tab of the dialogue, click ‘View’ and the install locations of all Java versions can be found. The cacert file should be in the ‘lib\security ‘ folder.

11. Make a copy of the cacerts file as a backup, named cacerts_backup. In the unlikely event that the cacerts file gets corrupted, you can then revert to this backup.

12. In the command window, move to the bin folder for this Java version. For example, if the java version is 18.02 the command would be:

cd C:\Program Files\Java\jdk18.02\bin

13. Run the following command to add the certificate you saved in step 3 to the Java keystore. The password changeit is the default, if this does not work, you will need to obtain the password from your IT support team.

keytool -import -noprompt -trustcacerts -alias "<alias>" -file   "<path to exported certificate>" -cacerts -storepass changeit

• Replace <alias> with a user friendly alias for the certificate. This must be unique in the certificate keystore. For example, 'ServiceNow-Prod'
• Replace <path to exported certificate> with the path to the exported certificate file (you must enclude the file extension. For example C:\Temp\_.service-now.der

You should see a message indicating the certificate was imported.

Verification

You can confirm the certificate was added as follows:

1. Run the command below:

keytool -list -v -cacerts  > java_cacerts.txt -storepass changeit

If you are prompted for a password, use changeit (unless this has been configured differently on your machine)

2. The above command will write a file java_cacerts.txt into the C:\Program Files\Java\jdk18.0.2\bin folder. Open this file, and at the bottom you should see an entry for the Service Now certificate. Search for the alias name in the file if you cannot find it.

3. Reopen Precision Bridge and test the connection again.

Adding Additional Certificates to complete the chain

In most cases, just the final, ServiceNow certificate is needed. The Root and any Intermediate certificates are often already present in the Java keystore if they are from well known certificate authorities.

However, if you continue to get the same error after importing the ServiceNow certificate, you should repeat the above procedure to import both the root certificate and any intermediate ones. Remember to use a unique alias for each certificate you import. All certificates in the hierachy need to be present in the Java Keystore for SSL certification to be successful.