Kaseya Community

SSL Certificate Expiry

This question has suggested answer(s)

Does anyone have a good script for monitoring the expiry of SSL Certificates? I'm a bit stumped as to where to start -> not sure what tools there are to monitor such things.

Most of our clients don't run in-house CA's, but rather buy a cert from e.g godady, namecheap, etc. which has a 1/2/3 year lifetime, then set-and-forget. One or 2 or 3 years later, they get caught out when the cert expires, because nobody is monitoring these things.

Nagios, solarwinds, Uptrends etc. have specialist monitors for this, but Kaseya ..... ?

All Replies
  • The best I have been able to do for this, is to alert on it via Event ID 64 in the Application log and then somebody has to physically check the server and match the thumb print to figure out which one expired and then remove/renew it via a series of PowerShell commands.

    https://technet.microsoft.com/en-us/library/cc774595%28v=ws.10%29.aspx

    I also found this PS script by Ragnar Harper that might help;

    http://arstechnica.com/civis/viewtopic.php?f=17&t=1197827

  • Unfortunately, all of the above relies on having an in-house CA. Most windows member servers don't have certificate services installed (i.e. no local certification authority), or if they do, they don't recognize any third party certs anyhow.

    I guess this means we need a custom script to query the various cert services e.g. Exchange, IIS, etc. (as well as Windows CA, when it exists).

  • Didn't test it much, but you could try the powershell certificate drive to look at the installed certificates on each machine.

    Something like (needs Powershell v3):

    Get-ChildItem -Path cert: -Recurse -ExpiringInDays 60 | select FriendlyName,NotAfter,Thumbprint,Issuer

    This will not show certificates that are already expired. If you want the already expired or need to use Powershell v2 instead of the -ExpiringInDays Parameter you could pipe the output to a where statement.

  • KNM can check the validity of a SSL Certificate.

    1. Find the asset representing the web server in KNM

    2. Add a Lua script monitor

    3. Select the "CheckCertificateExpiryTime_.lua" script

    4. Set portnumber to 443

    5. Set Ignore Connection problems to No

    6. Set Number of days to 14

    7. Save the monitor

    Now you should get a notification 14 days before the certificate expires.

  • We use a Kaseya script to do this. We executeShellCommandToVariable:

    powershell.exe -command "& {get-childitem cert:\LocalMachine -Recurse | where-object {$_.hasprivatekey -and $_.notafter -gt ((get-date).AddDays(-1)) -and $_.notafter -lt ((get-date).AddDays(21))} | Sort-Object notafter | format-table subject,friendlyname,notafter}"

    If the result contains 'notafter' one or more certificates are expiring within 21 days (but have not yet expired) and accordingly we raise a ticket in our support system.

    Hope this helps.

  • How would one edit your command to exclude certs found in "Certificate Enrollment Request" store?

  • neuvoja - Try adding an additional -and clause to the 'where-object' , something like:

    -and $_.PSParentPath -notlike "*enrollment*"

  • Is it possible to pull out the expiry date as part of this script so it can be reported on?

  • Hi - sure, the 'notafter' column returned by the above powershell command *is* the expiry date. You can easily adapt the command to return all certificates with private keys, not just those expiring within three weeks.