Anyone done this?
Each week that goes by we have another cert expire for a customer that we don't monitor and end up having to do the work retrospectively / unexpectedly.
If anyone is working on this an needs help i'd be willing to brainstorm.
Currently I have this shell script set up in Cygwin on my machine: prefetch.net/.../checkcertificate.html
In combination with this mailx emulation script: www.reedmedia.net/.../mailx.sh and cron it works pretty well to send me a list of upcoming cert expirations. Of course, I have to manually maintain a list of addresses, but it is pretty much set and forget.
Very nice :)
I managed to write a powershell script. that queried the local CA store or the trusted Root authority. It works great but i haven't written the agent procedure to automate it yet. Its really powerful though. It is a combination of all the certificate powershell stuff google could throw at me. Give me til the end of the week and itll be posted here.
We are monitoring for these events (logged on Server 2008 systems) so we at least get prior warning. I think you'll still need to break out the powershell for the gory details and to get anything useful out of Server 2003.
Message:
@Mark
Care to share your powershell script? This is something that I would definitely implement. Im sure many others would appreciate as well.
Thanks
Hi jdvuyk, i will try to have it up by friday, at the moment its the wrong CA store that it is querying, easy fix i just have to find time, and i'd like to put it up with the agent procedure as well.
@combo, good work :) I'll add it to my monitoring now :)
Hello Mark,
You probably have a solution now, but for anyone else looking for an SSL Certificate Monitor we have the following tool:
www.redkestrel.co.uk/.../certchecker.cgi
It discovers SSL certificates deployed on your networks and alerts you when any of them are approaching expiry. It will also identify expired certificates, certificates using short keys or weak algorithms etc.
Regards
phil
Hi Mark, would it be possible to share the script? That would be greatly appreciated
Monitoring certificate validity is a builtin function in Kaseya Network Monitor. Add a Lua script monitor and choose "checkcertificateexpirytime_.lua". There you can set the number of days before expiration you would like to get notified.