locked
Monitoring 2003 Certificate Services using SCOM 2007 RRS feed

  • Question

  • Does anyone know of a new MP or script for properly monitoring 2003 certificate services using SCOM 2007 ?  there is the MP from Raphael and team ( http://thoughtsonopsmgr.blogspot.co.uk/2009/09/pki-certificate-verification-management.html ) but this does not seem to monitor the types of events which the old Camonitor.vbs script use to which covers the health of the CA service itself such as...

    • Certificate Services service client RPC interface offline (event ID 1)
     
    • Certificate Services service administration RPC interface offline (event ID 2)
     
    • CA Certificate expired (event ID 10)
     
    • CA Certificate remaining validity is less than one month (event ID 11)
     
    • CA Certificate remaining validity is less than half its lifetime (event ID 12)
     
    • CA Certificate has been revoked (event ID 13)
     
    • CRL expired (event ID 20)
     
    • CRL overdue (event ID 21)
     
    • CRL cannot be retrieved from Active Directory (event ID 22)
     
    • CRL cannot be retrieved from Web server (event ID 23)
     
    • KRA Certificate expired (event ID 30)
     
    • KRA Certificate remaining validity is less than one month (event ID 31)
     
    • KRA Certificate has been revoked (event ID 32)
     
    • KRA Certificate is not trusted (event ID 33)
    Tuesday, May 8, 2012 10:11 AM

Answers

  • Nice find Nicholas. I think this could be used to find the issues and create some monitors in SCOM that try find what is written to the logs using this script. I guess nobody will create a full mp for this version anymore. But this has some hooks to use to create your own if you expect to still be using a Win03 CA for a while to come (please think about upgrading to newer versions by the way, but that is a whole other point...).

    Let us know if you need any more input from us Tech11-EU.


    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    • Marked as answer by Forum2019 Friday, May 25, 2012 8:00 AM
    Friday, May 25, 2012 6:38 AM

All replies

  • Hi Tech11-EU -

    I can share that I am not aware of any new PKI management packs from the community or Microsoft. The excellent MP by Raphael Burri you referred to has been updated in March 2012: http://www.systemcentercentral.com/PackCatalog/PackCatalogDetails/tabid/145/IndexID/24860/Default.aspx

    John Joyner
    MVP-SC-CDM


    John Joyner MVP-SC-CDM

    Wednesday, May 9, 2012 4:21 PM
  • Thanks John.  Yes it is an excellent management pack for what it does but I am looking for a management pack that really covers all aspects of the health of a CA infrastructure (such as db growth, services, CA errors etc) and surprised that one was never created for 2003 so was interested to hear how other people have managed that.
    • Edited by Forum2019 Friday, May 11, 2012 10:35 AM
    Friday, May 11, 2012 10:34 AM
  • For monitoring the CA itself there is only http://www.microsoft.com/en-us/download/details.aspx?id=11159 as far as I know. No newer versions that I know of.

    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    Friday, May 18, 2012 3:16 PM
  • O and yes, thats for 2008.


    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    Friday, May 18, 2012 3:19 PM

  • Hi,

    If you would try to author a monitor, please see if the following method helps:

    Certificate Authority Monitor
    http://gallery.technet.microsoft.com/scriptcenter/164e8047-d7bf-4774-91cf-90d46b82e725

    Thanks.


    Nicholas Li

    TechNet Community Support

    Wednesday, May 23, 2012 5:27 AM
  • Nice find Nicholas. I think this could be used to find the issues and create some monitors in SCOM that try find what is written to the logs using this script. I guess nobody will create a full mp for this version anymore. But this has some hooks to use to create your own if you expect to still be using a Win03 CA for a while to come (please think about upgrading to newer versions by the way, but that is a whole other point...).

    Let us know if you need any more input from us Tech11-EU.


    Bob Cornelissen - BICTT (My Blog about SCOM) - MVP 2012 and Microsoft Community Contributor 2011 Recipient

    • Marked as answer by Forum2019 Friday, May 25, 2012 8:00 AM
    Friday, May 25, 2012 6:38 AM
  • Question answered.  It would seem I have no alternative than to use camonitor.vbs or develop my own custom MP. 
    Friday, May 25, 2012 8:00 AM