Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • DevOps
  • ServiceNow Certificate Lifecycle Management with Keyfactor

ServiceNow Certificate Lifecycle Management with Keyfactor

DevOps

ServiceNow certificate lifecycle management can be a complicated process that leads to severe problems if it is not done effectively.

Ryan Sanders, Senior Product Marketing Manager, and Wael Altaqi, Senior Solutions Engineer, discussed recently how to simplify this process by integrating Keyfactor Command with ServiceNow.

Watch Webinar

Struggles with Certificate Management

The volume of keys and certificates is expanding every day. Anyone and everyone in the business today needs a certificate, from developers to cloud architects. However, almost no one really knows how to request or handle certificates properly.

Struggle 1: Limited Resources

On the other hand, small service teams, sometimes just one PKI admin, are responsible for fulfilling all requests. Just getting the app and system admins to fill out all the right details and the certificate request is a time-consuming process. And of course, every certificate needs to be renewed and redeployed to all the right locations.

Weak certificate management leads to expired certificates which results in frequent outages and costly downtime. And when the hammer drops, it is usually the PKI admins or the security team that takes the heat.

Struggle 2: Lack of Visibility

But there is more to this. The lack of certificate visibility leads to countless hours of finding the certificate that caused the problem, renewing it, replacing it, and then getting the impacted services back online.

There is often a disconnect between the thousands of users, applications that require certificates, and the security team. While users just want a certificate, the security team needs to ensure that every one of those certificates is trusted, compliant, and valid.

Struggle 3: Lack of Oversight

The situation is only getting worse as more applications and services require certificates to authenticate and run. Shadow IT practices spawn as teams spin up ad hoc Certificate Authorities (CAs) and start issuing certificates without any security team oversight. Simultaneously, publicly-issued TLS certificate lifespans have been cut in half, which effectively doubles the workload for anyone responsible for managing those certificates manually.

Security teams have lost visibility and control over the certificates they need to manage. They are focused more on putting out fires rather than driving value for the business.

At this point, the question becomes, “How do I get control of these certificates, be more efficient and then get ahead of these outages?”

Enter ServiceNow and Keyfactor.

Where ServiceNow Fits In

ServiceNow ITSM is a power platform that creates a similar experience for all users. The ServiceNow interface and service catalogue allows users to handle service requests, access instant reporting, create ticketing workflows, and implement change control.

Suppose you are already delivering most of your IT services through ServiceNow. By integration with Keyfactor, you can leverage the same ServiceNow interface to handle certificate request and approval workflows.

ServiceNow and Keyfactor

Keyfactor + ServiceNow: Automation and Simplicity

ServiceNow makes it easy for users to request the required certificates, but the rest of the certificate management process is often manual. And that’s where things fall off the rails – when users generate certificates, but they don’t install them correctly or don’t renew them before they expire.

From this standing point, it is a natural fit to integrate Keyfactor with ServiceNow. This integration introduces many benefits both for the app and system owners and the PKI admins:

  • Simple, repeatable process for a certificate request
  • Process standardization to avoid duplicate and resource-intensive manual workflows
  • Maintain control over corporate certificates
  • Automate certificate deployment to workloads and apps
  • Automate incident reporting and certificate renewal

Application and system owners can obtain certificates using a simple, repeatable, and familiar workflow within ServiceNow. Then the PKI admins can maintain the control they need over the back-end policy and approval processes.

Both teams can benefit from the automation that Keyfactor provides in the back end for the issuance, renewal, and deployment of those certificates to the endpoints. Businesses can standardize processes through ServiceNow while still using Keyfactor for visibility and governance.

How We Integrate

Let us examine two use cases: certificate request and certificate expiration.

Certificate Request

App owners are not digital certificate experts. All they want is a certificate to get their app up and running. Typically, the certificate request process starts with a request in ServiceNow.

However, after the approval occurs, someone still has to create the CSR, upload it through the CA. Then they have to provision the certificate, pick-up the certificate, upload it to the device, or test it on the application.

This process could take days in some organizations.

By integrating Keyfactor Command and ServiceNow, the certificate request process is expedited and simplified, as described in the diagram below.

ServiceNow Certificate Lifecycle Management_Certificate Request

App owners submit their certificate requests through ServiceNow. Someone from higher up the stack approves the request, and once the request is approved, the API notifies Keyfactor Command. Keyfactor provisions the certificate accordingly from a public CA, private CA, or hosted PKI.

Keyfactor takes on the ownership of deploying the certificate to the end device, application, or workload.

By integrating Keyfactor and ServiceNow, we allow the app owner to self-serve and remove unnecessary overhead while the InfoSec team maintains visibility for the certificates. They can have full certificate inventory and management from a central location and review how many certificates are provisioned within the enterprise.

Hence, we are ensuring that the certificate management process is compliant with the business and technical policies and practices.

Certificate Expiration

On the other hand, there is the need to provision alerts to notify the business and app owners that a certificate is about to expire. The impact of unnoticed certificate expiration has increasingly made the news headlines during the past years. And frequently, security teams are not able to respond swiftly. It sometimes takes up to 12 hours to recover a certificate.

Why? Because someone does not have the private key, does not know how to renew it, or doesn’t know how many certificates they have.

By integrating Keyfactor Command with ServiceNow, the notification and renewal process of a certificate to expire is simplified and automated, as shown in the diagram below.

ServiceNow Certificate Lifecycle Management_Certificate Expiration

Keyfactor takes on the ownership to notify the app owner and the business owners that a certificate is about to expire ahead of time. Based on the early warning notification, certificate owners can renew that certificate and seek approval so that the new certificate deploys ahead of time. This notification prevents any unpleasant outages.

ServiceNow’s integration with Keyfactor Command provides flexible, simplified, and automated certificate management processes. The integration eliminates unnecessary back and forth between certificate owners and admins. In the end, together they provide a robust solution for ServiceNow certificate lifecycle management.

To learn more about how the two platforms collaborate and watch a live demo, see this webinar.