Freigeben über


OpsMgr: Monitoring Certificate Expiry with a Powershell-based Monitor

This post focuses on the Powershell-based monitor created in my first post to find and alert on certificates that are about to expire on managed computers. This monitor was created from the “Create a Unit Monitor” wizard as demonstrated in my first post.

image 

For this Powershell-based unit monitor, the following values were used in General Properties.

Note: This monitor targets the Windows Server 2008 Computer class, and hence will be distributed to agents running on Windows 2008 servers.

image

 

Polling frequency was set to 3 minutes for testing purposes. This value can be changed anytime based on preference.

image 

The command to find certificates that are about to expire from the Hey, Scripting Guy ! Blog , was used in the Powershell script of this monitor and the script was modified to return its output in a Propertybag.

image

 

Here is the script used:

sl cert:
$thresholdindays = 1000
$ExpiredCerts = Get-ChildItem -Recurse | where { $_.notafter -le (get-date).AddDays($thresholdindays)-AND $_.notafter -gt (get-date)} | select thumbprint, subject

$API = new-object -comObject "MOM.ScriptAPI"
$PropertyBag = $API.CreatePropertyBag()

if($ExpiredCerts.Length -gt 0)   {
$OFS = "`r`n"
$result1 = [system.String]::Join($ofs, $ExpiredCerts)
$result2 = [string]$result1
$result2 = $result2 -replace "@{", ""
$result2 = $result2 -replace "}", ""

    $PropertyBag.AddValue("State","ERROR")
$PropertyBag.AddValue("Description", "Expired Certificates: " + $result2)

  }
  else   { 
    $PropertyBag.AddValue("State","OK")
$PropertyBag.AddValue("Description", "ALL GOOD !!")

    }

sl $currentlocation

$PropertyBag

 

Building expressions based on the value in the Propertybag and mapping monitor conditions to health states were very straight forward as follows.

The Expression Builder Pages builds expression that looks for a particular value from the Propertybag that the data source outputs (Property[@Name='State'] ).

image

image

image

 

The name of the value in the Propertybag was specified in the alert context variable: $Data/Context/Property[@Name='Description']$

image

 

To force an alert, set the threshold to a high value like 1000 days ( $thresholdindays = 1000). Here is an example of the active alert generated and the state change recorded:

image

image

 

Attached with this post are both the certificate expiry monitor management pack (TakeAWei.Certificate.Expiry.Monitor.Management.Pack.xml) and the sealed library management pack being referenced. Both management packs will need to be imported together via the Operations Console.

 

   

 

 

Disclaimer:   

All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.

CertExpiry.zip

Comments

  • Anonymous
    October 03, 2013
    Very cool and helpful!

  • Anonymous
    October 09, 2013
    Do you use Authoring Extension with Visual Studio 2012/2013 ?

  • Anonymous
    May 12, 2015
    This is the PowerShell 3.0 way to do it.  This also targets just the Computer's Personal certificate store. $thresholdindays = '90' $ExpiredCerts = Get-ChildItem -Path Cert:LocalMachineMy -ExpiringInDays $thresholdindays | Select-Object Subject,NotAfter,Thumbprint $API          = new-object -comObject "MOM.ScriptAPI" $PropertyBag  = $API.CreatePropertyBag() if($ExpiredCerts.Thumbprint.Length -gt 0)   { $OFS = "rn" $result1 = [system.String]::Join($ofs, $ExpiredCerts) $result2 = [string]$result1 $result2 = $result2 -replace "@{", "" $result2 = $result2 -replace "}", ""    $PropertyBag.AddValue("State","ERROR")    $PropertyBag.AddValue("Description", "Expiring Certificates: " + $result2)  }  else   {      $PropertyBag.AddValue("State","OK")    $PropertyBag.AddValue("Description", "ALL GOOD !!")    } sl $currentlocation $PropertyBag

  • Anonymous
    May 19, 2015
    On Windows server 2008 R2 boxes, I'm not getting the $results2 to return in the description.  I walked though the script and all seems fine.  The monitor gives the correct description on a 2012 R2 server.  What gives?