none
Alerts on CRL Expiry RRS feed

  • Question

  • Hi,

     I have 2 enterprise issuing CAs and am looking for some simple scripts which can alert me on the following:

    - CA expiry if the CA certificate's CRL is due to expire within 30 days

    - CA certificate expiry if it's due to expire in 30 days
    - Issued certificates which are due to expire within 30 days (less important, but useful for us) 

    Does anyone know of existing scripts which can do this - just checking before going down the task of writing my own...

    Thanks in advance


    IT Support/Everything

    Tuesday, March 15, 2016 3:59 PM

Answers

All replies

  • Nothing out of the box. You can run pkiview.msc which will provide some alerting, but not emails or popups, you would have to monitor the screen. There are several expensive tools you can buy that monitor your CA. You could also implement SCCM with the management pack for ADCS. Lastly, you can write scripts that query the CA database directly for this and alert users. I dont think anyone has these freely available - for instance, I offer mine to customers as part of a project engagement.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com


    Wednesday, March 16, 2016 2:46 AM
  • You can look at the script published by Paul Fox (Microsoft consulting Services): https://gallery.technet.microsoft.com/scriptcenter/Powershell-CRL-Copy-v2-8e91c11a

    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new: PowerShell File Checksum Integrity Verifier tool.

    Wednesday, March 16, 2016 7:02 AM
  • Hi,

    >> Issued certificates which are due to expire within 30 days (less important, but useful for us) 

    You may monitor the following event:

    https://technet.microsoft.com/en-us/library/cc774595%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, March 17, 2016 9:33 AM
    Moderator
  • I know this an old post - I've recently written a script to check for certs expiring in 30 days. This quick script works well me :-)

    # This script trawls through a certutil produced CSV file and filters out all CA signing certificates and OCSP certificates to produce a list of valid certificates for checking.
    # Remaining certificates are checked to see if they are due to expire within 30 days, if so, then an email alert should be sent out to 
    #We're note interested in CA Exchange certificates or OCSP certificates, so filter those out
    $today=get-date
    $path="c:\install\certs.csv"
    [boolean]$expired=$false
    $emailto="monitoring@domaina.com"
    $emailsrc="IssuingCA01@domaina.com"
    
    certutil -view -out “requestername,requestid, Certificate Template, Certificate Expiration Date” csv > $path
    Start-Sleep -Seconds 10
    
    # Filter out unwanted templates
    $certlist=@(Import-csv $path -header "Requester Name","Issued Request ID","Certificate Template","Certificate Expiration Date" | Where-Object {$_."Certificate Template" -like "*OCSP*" -eq $false -and
     $_."Certificate Template" -like "*CAExchange*" -eq $false -and $_."Certificate Template" -like "*1.3.6.1.4.1.311.21.8.14144301.2339861.4014749.143178.11106572.212.13091067.2391596*" -eq $false } ) 
    [string]$message=""
    
      Function SendMail ($message)
        {
            send-mailmessage -from $emailsrc -to $emailto -subject "Certificates expiring in 30 days" -body $message -smtpServer mailone.domaina.com
        }
    
    if ((test-path $path) -eq $false)
        {
            $message= "Cannot check destination directory for expired certificates"
            SendMail $message
            exit
        } 
    
    ForEach ($cert in $certlist)
    {
         if ($cert."Certificate Expiration Date" -eq "Certificate Expiration Date" )
         {
           # break this loop iteration as the first rown doesn't contain a valid date
            continue;
         }
    
         #convert the date to the correct format 
          $CertExpiry=[datetime]::ParseExact($cert."Certificate Expiration Date", "dd/MM/yyyy HH:mm",$null)
                if ($today -le $CertExpiry)
                {
                    #Certificate has not expired, so lets check it
                    if ($today.adddays(30) -gt $CertExpiry )
                    {
                    #certificate will expire in 30 days
                    $message=$message + $cert."Requester Name" + "  " + $cert."Certificate Template"  + "  "  + $cert."Certificate Expiration
     Date"
                    $message=$message + "`r`n"
                    $expired=$true
                    }#if 
                }#if
         
     }#For
    
    if ($expired)
    {
        sendMail($message)
    }
    


    Saturday, May 28, 2016 6:54 AM
  • Getting an error when i run this script.

    Exception calling "ParseExact" with "3" argument(s): "String was not recognized as a valid DateTime."
    At line:40 char:7
    +       $CertExpiry=[datetime]::ParseExact($cert."Certificate Expiratio ...
    +       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : FormatException


    Tuesday, November 19, 2019 5:05 AM