Kaseya Community

Certificate Authority Certificate Expiry monitor set / script?

  • Anyone done this?

    Each week that goes by we have another cert expire for a customer that we don't monitor and end up having to do the work retrospectively / unexpectedly. 

    If anyone is working on this an needs help i'd be willing to brainstorm. 

     

     

  • Currently I have this shell script set up in Cygwin on my machine: prefetch.net/.../checkcertificate.html

    In combination with this mailx emulation script: www.reedmedia.net/.../mailx.sh and cron it works pretty well to send me a list of upcoming cert expirations. Of course, I have to manually maintain a list of addresses, but it is pretty much set and forget.

  • Very nice :)

    I managed to write a powershell script. that queried the local CA store or the trusted Root authority. It works great but i haven't written the agent procedure to automate it yet. Its really powerful though. It is a combination of all the certificate powershell stuff google could throw at me. Give me til the end of the week and itll be posted here.

  • We are monitoring for these events (logged on Server 2008 systems) so we at least get prior warning. I think you'll still need to break out the powershell for the gory details and to get anything useful out of Server 2003.

    Message: 

    Application log generated Warning Event 64 on XXXXXXXX
    For more information see http://www.eventid.net/display.asp?eventid=64&source=Microsoft-Windows-CertificateServicesClient-AutoEnrollment

    Log: Application
    Type: Warning
    Event: 64
    Agent Time: 2011-05-16 21:31:57Z
    Event Time: 11:30:31 AM 16-May-2011 UTC
    Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
    Category: None
    Username: N/A
    Computer: XXXXXXXXX
    Description: Certificate for local system with Thumbprint 0f 08 10 81 de 92 00 e1 0e 32 8a e4 68 4a c2 a8 d6 38 d5 b3 is about to expire or already expired.

  • @Mark

    Care to share your powershell script?  This is something that I would definitely implement.  Im sure many others would appreciate as well.

    Thanks

  • Hi  jdvuyk, i will try to have it up by friday, at the moment its the wrong CA store that it is querying, easy fix i just have to find time, and i'd like to put it up with the agent procedure as well.

    @combo, good work :) I'll add it to my monitoring now :)

  • Hello Mark,

    You probably have a solution now, but for anyone else looking for an SSL Certificate Monitor we have the following tool:

       www.redkestrel.co.uk/.../certchecker.cgi

    It discovers SSL certificates deployed on your networks and alerts you when any of them are approaching expiry.  It will also identify expired certificates, certificates using short keys or weak algorithms etc.

    Regards

    phil

  • Hi Mark, would it be possible to share the script? That would be greatly appreciated

  • Monitoring certificate validity is a builtin function in Kaseya Network Monitor. Add a Lua script monitor and choose "checkcertificateexpirytime_.lua". There you can set the number of days before expiration you would like to get notified.