Kaseya Community

Check SSL Cert Expiration???

  • Hello,

    I'm looking for some help. I would like to create a script that would look for the expiration dates on all the SSL certificates in the Server Personal store. I so far have a VB script that will list them but it would be nice to somehow shoot an email if the date is going to expire in less than 10 days or something. any ideas???

    Here is the VB script that i found: **you might have to regsvr32 capicom.dll** to get it to work

    REM
    Option Explicit
    on error resume next
    Const CAPICOM_MY_STORE = "My"
    Const CAPICOM_LOCAL_MACHINE_STORE = 1
    Const CAPICOM_CURRENT_USER_STORE = 2
    Const CAPICOM_STORE_OPEN_READ_ONLY = 0
    Const CAPICOM_EKU_CLIENT_AUTH = 2
    Const CAPICOM_EKU_CODE_SIGNING = 3
    Const CAPICOM_EKU_EMAIL_PROTECTION = 4
    Const CAPICOM_EKU_SERVER_AUTH = 1
    Const CAPICOM_EKU_OTHER = 0
    Const CR_DISP_ISSUED = &H3
    Const CR_OUT_CHAIN = &H100
    Const CR_OUT_BASE64 = &H1
    Const CERT_SYSTEM_STORE_LOCAL_MACHINE = &H20000
    Const CR_IN_BASE64 = &H1
    Const CR_IN_PKCS10 = &H100
    Dim oCert, oStore
    Set oStore = CreateObject ("CAPICOM.Store")
    if Err.Number <> 0 Then
    wscript.echo "CAPICOM NOT detected"
    Wscript.Quit(1)
    End if
    oStore.Open CAPICOM_LOCAL_MACHINE_STORE, CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_ONLY
    For Each oCert in oStore.Certificates
    WScript.Echo " Subject Name: " & oCert.SubjectName
    WScript.Echo " Issuer Name: " & oCert.IssuerName
    WScript.Echo " SHA-1 Thumbprint: " & oCert.Thumbprint
    WScript.Echo " Serial Number: " & oCert.SerialNumber
    WScript.Echo " Version: " & oCert.Version
    WScript.Echo " Valid From: " & oCert.ValidFromDate
    WScript.Echo " Valid To: " & oCert.ValidToDate
    Next

    Legacy Forum Name: Check SSL Cert Expiration???,
    Legacy Posted By Username: jpyzowski
  • Here is the VBS script I compiled from other sources.

    It scans all of the certificates that are installed and checks the date valid until.

    If the script is within a "warning" period (defined in the beginning of the vbs script) an event log Warning is made with a unique string of Code Cert_Expire_30, or you can change it.

    So, configure a script in Kaseya with the below .vbs to execute once a day. Then setup an event log alert to look for that unique "error" code.

    CertExpiryCheck.vbs

    '**************************************************
    '*
    '* Enumerate certificates with day left for expiry
    '**************************************************

    Option Explicit
    Dim SubjectName
    Const DaysWarning = 30
    Const DaysIgnoreExpired = -7

    ' Constants for type of event log entry
    const EVENTLOG_SUCCESS = 0
    const EVENTLOG_ERROR = 1
    const EVENTLOG_WARNING = 2
    const EVENTLOG_INFORMATION = 4
    const EVENTLOG_AUDIT_SUCCESS = 8
    const EVENTLOG_AUDIT_FAILURE = 16
    dim objShell
    set objShell = CreateObject("WScript.Shell")



    Dim Store, Certificates, Certificate
    Const CAPICOM_LOCAL_MACHINE_STORE = 1
    Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
    Const CAPICOM_STORE_OPEN_READ_ONLY = 0

    Set Store = CreateObject("CAPICOM.Store")
    Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
    Set Certificates = Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, , 0)

    If Certificates.Count >0 Then
    For Each Certificate in Certificates
    Dim DaysLeft
    DaysLeft = DateDiff("d",now(),Certificate.ValidToDate)
    ' If the certificate expires withing the warning period, write a warning in the event log
    if DaysLeft > 0 and DaysLeft
    Wscript.Echo "The Certificate" & Certificate.SubjectName & " Will Expire Soon"
    objShell.LogEvent EVENTLOG_WARNING, "The Certificate" & Certificate.SubjectName & " Will Expire in " & DaysLeft & " days. Error Code Cert_Expire_30"
    end if
    ' If the certificate has expired and not outside of the expired ignore period, write a warning in the event log
    if DaysLeft > DaysIgnoreExpired and DaysLeft
    Wscript.Echo "The Certificate " & Certificate.SubjectName & " has expired"
    objShell.LogEvent EVENTLOG_WARNING, "The Certificate" & Certificate.SubjectName & " has expired. Error Code Cert_Expired"

    end if
    ' If the certificate is valid, log an informational entry in the applicaton log with the days valid
    if DaysLeft > DaysWarning then
    Wscript.Echo "The Certificate " & Certificate.SubjectName & " is valid"
    objShell.LogEvent EVENTLOG_INFORMATION, "The Certificate" & Certificate.SubjectName & " is valid. The certificate will expire in " & DaysLeft & " days."
    end if
    Next
    Else
    WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
    End If

    Set Certificates = Nothing
    Set Store = Nothing


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: rbloch
  • rbloch ,

    Hey, this looks super. Thanks for sharing.

    One question.... what is the "Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1" for?

    I see used in the "Set Certificates =" function line, which is then passed to the "objShell.LogEvent" command. I just was not sure what significance the "1" has?

    Thanks.

    Lloyd

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: lwolf
  • I still have one issue i keep getting the following error when i run it

    No certificates with SubjectName => '" any suggestions. I wish i knew a little more VB. Smile

    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: jpyzowski
  • Well after some messing around i finally have something that i think will work. The only issue i have now is that it doesn't run on win2008 Confused

    and i still have to use the subjectname which i guess i can set a variable for all of my domains and have it pull that variable and run it that way.

    c:\temp\CertExpiryCheck.vbs Domainname


    '**************************************************
    '* CertExpiryCheck.vbs
    '* Enumerate certificates with day left for expiry
    '**************************************************

    Option Explicit
    Dim SubjectName
    Const DaysWarning = 30
    Const DaysIgnoreExpired = -7

    ' Constants for type of event log entry
    const EVENTLOG_SUCCESS = 0
    const EVENTLOG_ERROR = 1
    const EVENTLOG_WARNING = 2
    const EVENTLOG_INFORMATION = 4
    const EVENTLOG_AUDIT_SUCCESS = 8
    const EVENTLOG_AUDIT_FAILURE = 16
    dim objShell
    set objShell = CreateObject("WScript.Shell")

    If WScript.Arguments.Count > 0 Then
    SubjectName = LCase(WScript.Arguments(0))
    Else
    CommandUsage
    End If

    Dim Store, Certificates, Certificate
    Const CAPICOM_LOCAL_MACHINE_STORE = 1
    Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
    Const CAPICOM_STORE_OPEN_READ_ONLY = 0

    Set Store = CreateObject("CAPICOM.Store")
    Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
    Set Certificates = Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName, 0)

    If Certificates.Count >0 Then
    For Each Certificate in Certificates
    Dim DaysLeft
    DaysLeft = DateDiff("d",now(),Certificate.ValidToDate)
    ' If the certificate expires withing the warning period, write a error in the event log
    if DaysLeft > 0 and DaysLeft
    Wscript.Echo "The Certificate" & Certificate.SubjectName & " Will Expire Soon"
    objShell.LogEvent EVENTLOG_ERROR, "The Certificate" & Certificate.SubjectName & " Will Expire in " & DaysLeft & " days. Error Code Cert_Expire_30"
    end if
    ' If the certificate has expired and not outside of the expired ignore period, write a error in the event log
    if DaysLeft > DaysIgnoreExpired and DaysLeft
    Wscript.Echo "The Certificate " & Certificate.SubjectName & " has expired"
    objShell.LogEvent EVENTLOG_Error, "The Certificate" & Certificate.SubjectName & " has expired. Error Code Cert_Expired"

    end if
    ' If the certificate is valid, log an informational entry in the applicaton log with the days valid
    if DaysLeft > DaysWarning then
    Wscript.Echo "The Certificate " & Certificate.SubjectName & " is valid"
    objShell.LogEvent EVENTLOG_INFORMATION, "The Certificate" & Certificate.SubjectName & " is valid. The certificate will expire in " & DaysLeft & " days."
    end if
    Next

    Else
    WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
    End If

    Set Certificates = Nothing
    Set Store = Nothing

    Sub CommandUsage
    MsgBox "Usage: CertExpiryCheck.vbs [SubjectName] ", vbInformation,"CertExpiryCheck"
    WScript.Quit(1)
    End Sub


    Legacy Forum Name: Scripts Forum,
    Legacy Posted By Username: jpyzowski