so hello everyone and thank you for joining us today for our june series tech talk ensuring resilient it operations today we're going to be covering our latest cape one of our latest capabilities within the it operations management visibility sku and that is tls certificate management my name is robin cincinnati and i'm a solution architect within the it transformation organization here at servicenow and today we're going to be covering the following so we're going to be covering what is a tls certificate our tls certificate management capabilities i'll provide a live demonstration and also leave you with some additional collateral but before we begin i need to present the safe harbor notice as forward-looking statements may be made within this presentation and should not be solely used in decision making so let's begin with what is a tls or ssl certificate well ssl is actually the older terminology but we're still talking about the same thing when we talk tls or the new terminology which is transport layer security it puts the s and https these certificates provide data privacy and ensures data integrity and they help online customers to positively identify and trust websites so why are we so concerned about these certificates there are significant business problems that can occur when using tls certs these certificates have an expiration so it isn't a set it and forget it type of an item these certificates need to be managed not having visibility into their expirations can lead to service outages in the case of microsoft teams recently affecting 20 million active users teams was actually down for seven hours a result of an expired certificate expired certificates can also become a security nightmare as in the case of the equifax breach a few years ago when unencrypted pii data was extracted out of its intended environment it caused a massive data breach spanning over 19 months so we should ask ourselves isn't it important to have visibility into what certs might be expiring within the next 30 60 or 90 days isn't it important to know whether or not certificates are self-signed or signed by certificate authority isn't it important to know who owns and pays for these certificates so these tasks might seem easy if you're only dealing with a handful of certificates but as the numbers grow from 10 to 100 to thousands of certificates manual administration of these certificates isn't effective and the risk of exposure increases significantly so in order to address these challenges servicenow has created new workflows for the pki or public key infrastructure team to provide lifecycle operations around these certificates the benefits include blind spot detection of expiring certs insight into certificate inventory itm itsm workflows in the form of certificate request fulfillment and certificate renewal tasks and full impact analysis or full stack visibility into what certificates are affecting what services so let's look at this in more detail we start with providing crucial visibility of certificates from within the itom visibility sku we're able to discover certs via port url and certificate authority and i'll be providing more detail around this shortly within our demonstration we're also providing out-of-the-box workflows for request fulfillment and renewals in addition tls cert management includes a pki team workspace to be able to visualize the renewal pipeline and provide insights into what might be affected when certain certificates expire lastly automated incident creation is available for expired certificates tls certificate management is available within the itom visibility sku starting with our orlando release the certificate inventory management is a store release and can be downloaded from the same but before we dive into the demo portion of the session i'd like to spend a few more minutes reviewing the capabilities within the solution in more detail first let's talk about the discovery of certificates we can gather the certs from a certificate authority today we support godaddy and digicert out of the box next up will be set to go and interest we can discover certs via url provided and i'll demonstrate how that can be done during the demo portion of the session discovery of certs can also be done via ip or court based discovery as we utilize the shazam probe to accomplish this typical ports we look for out of the box are these listed on the right hand side of the slide secondly from a request management perspective the store app provides out-of-the-box request workflow for new or renewed certificates third the new capability provides both proactive and reactive measures in the form of task management to handle upcoming expirations of automated and automated incident creations as well that capture expire certificates for reactive actions our customer red hat was an early adopter of tls certificate management if you didn't know there was an issue with let's encrypt a few months back since red hat had full visibility using tls cert management they were able to quickly see that they had 47 sites using certs from let's encrypt it only took a few seconds to run that report and provide information back to their infosec group for remediation okay let's dive into my orlando instance to become a little more familiar with the cert management capabilities so let me switch to my demonstration so once the discovery plug-in is activated and the store app for tls cert management is installed you'll see within your servicenow instance a new section for search for certificate management here on the left hand side which includes a certificate management dashboard for the pki team the certificate tasks that are created uh discovery of urls which i will show you here shortly and then we can also see the unique certificates and the installed certificate records so let's first start out with discovery so let's talk about ip based discovery first in order to turn on the certificate discovery within your normal uh operations of of uh just of the discovery process you'll need to turn on this tls ssl cert support probe when you get in there you set it to active and update the record once we do that the certificates will be discovered during your normal ip based or court-based runs so for the example i have a on-demand discovery job that runs in my lab environment here at servicenow and once i turn that tls probe on you can see my last discovery status run and we can see that using the shazam probe it's capturing certificate chains next i'd like to show you how you can use the url based discovery so let's take for example spotify so spotify is https secure connection and we can see here that they're using digicert we can also see the the valid to and from dates for this certificate and we'll pull back all of these details as well this is public facing information right so what we can do is we can come back here the first thing we'll do is do a source so we're going to add a new source we're going to put in the url for spotify and submit that once we do that then we can go to our discovery schedules and i have a discovery schedule already set up to do certificate discoveries for url based so once we come in here we're going to go ahead and we're going to change the certificate url that we're going to discover there it is okay so let me remove this one and let me put in spotify and we'll save that now we can go ahead and discover that url and it doesn't take very long but the discovery has started and the state is now completed so now we've discovered that certificate next i like to show you the request so when you install the application from the store you'll also now see in your service catalog another sub category for certificate management and you'll see that there are two new request items for renew certificate and request new certificate that can be used directly out of the box next i want to go back to our certificate management dashboard and review what information is here for the pki team first off we can see upcoming expirations so we have visibility into what's going to be expiring within the next 30 60 90 days uh if there are certificates that are going to be expiring within the next 30 days we set tasks to a priority one so that we can go ahead and we can work on those uh first thing you also see that we have uh the number of open new request tasks that came from our catalog as well as any open renewal tasks that need to happen when we drill down into the priority one tasks we'll notice that we have these uh these cert tasks here and if i drill into this one we'll be able to view this information so we now see that this particular task has been assigned to the itom rockstar support group and an approval was requested for this renewal we can drill into the record even further here for this configuration item and we can see that the state is installed we can see the valid to and from dates are the serial number uh fingerprint information as well as the signature algorithm down here and more importantly since we're talking about visibility is we're going to be able to take a look of what it's going to be impacting upstream so this particular digit certificate resides on this linux server which is associated to our application service rewards processing so if we have an expired cert we have a risk here involved with our rewards processing service we also see that we have an incident created because this particular cert was already expired so we can go ahead and we can take a look at the incident was created for this as well so let's go back to our dashboard and view the certificate inventory tab and we can see here that we have 284 unique certificates uh we can also see that we've discovered 117 new certificates within the last 30 days and if you recall when i mentioned earlier about red hat's use case on being able to quickly identify what was using let's encrypt as the root issuer we can see here that we can just quickly drill down into that issuer and find all of the particular sites that are using let's encrypt so let me go back to our presentation and let's recap what we just saw so first i showed you how we can discover tls certificates my examples were ip report based using the shazam probe we also demonstrated a url discovery for the certificate we can also get the information from your certificate authorities again digicert and godaddy are out of the box today and we can also upload certificate information from a file i then showed you how we can digitize the workflow with the request fulfillments and the renewals within the service catalog and also how we create those tasks to be able to prioritize and identify the certificates that need to be worked on quickly next i demonstrated the pki team workspace that gives you information about the tasks at hand as well as what certificates may be up for renewal within the next few months and lastly we looked at incident creation for an expired tls server here are some additional collateral that are available to you uh as i mentioned earlier this application is uh is on our store we also have information uh in our community there's a blog out there for tls certificate management our doc site has a full section around certificate inventory management and how to set it up we have a white paper in our resource center on tls certificate management and lastly we have a course within now learning for certificate inventory and management administration