Monitoring Expiring Certificates using SCOM
Managing too many certificates in your Certificate Server? Unable to keep track of when they'd expire? Don't worry! Here's a simple and smart way of proactively monitoring them through SCOM. A completely customizable solution so that you can configure it based on your needs! Sounds exciting? Read further.
Our Strategy:
Our solution for monitoring ceritifcates is based on a script that provides us information about the expiring ceritificates. For each ceritifcate that expires, our script will create an event in the Applications Log. With the help of a SCOM rule, we shall read those events and subsequently notify them as an alert.
The 'Magic' Script
Though there's nothing magic about it, this script is the core part of our solution. It is based on the certutil.exe that is shipped with Windows OS. The certutil provides us an easy way of querying and obtaining information about Certificates. In Windows 2008+ we can export the result set into a CSV which would have made stuff simpler. But, such options are not available in Windows Server 2003. I've designed the script to be compatible for all the OSs. Read through the script, you should be able to get most of it. Don't copy this script from the page. I've pasted it here so that you can have a glance. If you wish to download the script, you can find it at the bottom of this blog post.
' Certificate Expiration Monitoring Script - CertMonitor
' Written by sanjeevgopinath@live.com
' Place the file under C:\CertMonitor\ folder. If you want wish to place it in a different folder, change the dump_file_path variable
' This script is given on an as-is basis without any kind of warranties.
' ##########################
' Type : DAY BASED
' Description : Lists certificates that will expire in the next 1 day.
' ##########################
' ---- VARIABLE DECLARATIONS ----
dim file_obj ' // Holds the Scripting.FileSystemObject for file handling purposes.
dim line_extract ' // From the file read, we extract line by line
dim cert_count ' // Holds the current count of certificates found by the script.
dim event_desc ' // Holds the EventCreate event description
dim file_txt ' // Contains the File Handle for the Temporary file
'---------------------------------
' -------- INITIALIZATIONS --------
certutil_params="SerialNumber,CommonName,RequestID,RequesterName,NotBefore,NotAfter,CertificateTemplate"
dump_file_path="C:\CertMonitor\Day_Log.txt"
script_type="day"
event_id=101
NewDate = DateAdd("d",1,Date)
' To Add some more parameters add it after 11:59 PM" like this --> & "YOUR CONDITION" & """"
restrict_param=" -restrict ""NotAfter>=" & NewDate & " 12:00 AM,NotAfter<" & NewDate & " 11:59 PM" & """"
' Creating Object to work with Shell
Set WshShell = CreateObject("WScript.Shell")
' Running the Certutil command and dumping the output in dump_file_path
cmd_complete="cmd /C certutil -view " & restrict_param & " -out """ & certutil_params & """ > " & dump_file_path
WScript.Echo cmd_complete
cmd_status = WshShell.Run(cmd_complete, 1, true)
' Logging event for the start of script execution.
Set cmd_status = WshShell.Exec("eventcreate /t information /l application /id 100 /d ""Running Certutil -view for " & script_type & " based rule.This is just an informational alert generated by the Certificate Expiry Monitoring Script."" /so ""CertMonitor""")
' Initializing the file handlers
Set file_obj = CreateObject("Scripting.FileSystemObject")
Set file_txt = file_obj.OpenTextFile(dump_file_path,1,False)
' Low Index contains the Certificate Details starting position from the top.
low_index = 0
' High Index holds the position of end of Certificate details.
high_index = 0
' At any given point, cert count tells how many certificates the script has parsed so far.
cert_count = 0
' Initializing the event description
event_desc = "Certificate Details : "
' Sub Str is a temporary string used for trimming and removing the quotes
sub_str = ""
' ------------------------------------
' --- LOGIC STARTS HERE ---------------
' Extracting line by line using split. chr(10) represents newline.
line_extract = Split(file_txt.ReadAll(), chr(10))
' For every line in the dump file
For i = 0 To UBound(line_extract)
' If the line is equal to a Carriage Return, it may represent end of Certificate.
If line_extract(i) = VbCr Then
' The initial part of CertUtil contains information about the fields. We ignore it by not counting the first occurence
If cert_count > 0 Then
' This loop extracts all the certificate information and concatenates it in event_desc
' low_index + 1 is used so that we remove the "ROW #" line
For j = low_index + 1 To high_index
' This removes unnecessary spaces.
sub_str = trim(line_extract(j))
' This removes all the quotes so that the quotes aren't closed by themselves. For e.g. in EventCreate
sub_str = Replace(sub_str, """", "")
' The last character is a new line / NULL character. If that's present, we won't get full event description.
event_desc = event_desc + "" + Left(sub_str,Len(sub_str)-1)
Next
event_desc = event_desc + "This event was generated by the Certificate Expiry Monitoring Script."
' Logs the event in the Application Log
Set event_return = WshShell.Exec("eventcreate /t error /l application /id " & event_id & " /so CertMonitor /d """ & event_desc & """")
' Waiting for the Command to complete
Do While event_return.Status = 0
WScript.Sleep 100
WScript.StdOut.Write(event_return.StdOut.ReadAll())
WScript.StdErr.Write(event_return.StdErr.ReadAll())
Loop
' Reinitializing event_desc so that we don't have the previous values.
event_desc = "Certificate Details : "
End If
' Incrementing the low_index to point to the starting of next certificate.
low_index = i + 1
' Incrementing cert_count value as we parsed one paragraph (one para is imagined to contain cert details) completely.
cert_count = cert_count + 1
Else
' If we find the summary information, we stop the script then and there.
If instr(1,line_extract(i),"Row Index",0) > 0 Then Exit For
End If
' Incrementing as we go line by line
high_index = high_index + 1
Next
How does it work?
The script is expected to run once everyday. To confirm if it ran, you can check the Application log for 100 EventId. When the script runs, it queries for all the expiring certificates and puts the result it in a temporary file. Since the first part of the result is junk, we omit it and just take the part where we have information about expiring certs. For each certificate entry, it creates a 101 event in the Application Log. If you want to change the event id, you can change the value specified for the event_id variable. Also, in this script we just query few parameters like serial number, etc. If you want to delete or add few more parameters, you can change the certutil_params variable.
Say, if you want to extend monitoring and be notified before a week or a month, you can do the following...
Change the value 1 in NewDate = DateAdd("d",1,Date) to 7 if you want to be notified before a week and 30 if you want to be notified before a month.
You can also change the event id when you wish to monitor for week and month. This way, you can configure the rules to alert with respective priorities. For example Day = High, Week = Medium.
What is required from SCOM side?
Create an alert generating rule to monitor for NT Events 100 and 101 (or the event Id you have specified). To be very precise, you can specify that the Event Source is 'CertMonitor'.
If you want to know how to create a alert generating rule for monitoring events from the NT Event Log, read this : https://technet.microsoft.com/en-us/library/bb309568
As the rule may run on all Windows Computers, restrict it to run only on the cert servers or the servers where you need to monitor expiring certificates.
How do I schedule the script?
You can use Windows Task Scheduler for scheduling the script to run once everyday. For more info : https://technet.microsoft.com/en-us/library/cc748993
Comments
Anonymous
January 01, 2003
Thanks for this post. I modified the script to create events at 30, 15 and 7 days from expiration and to look only for specific certificate templates. Integrated to SCOM, too.Anonymous
January 07, 2013
The comment has been removedAnonymous
January 07, 2013
just found out it has to run with cscript.exe not wscript.exe thx tomAnonymous
May 19, 2015
IS this only applicable for the cert store or it "scans" also Cert in specific folder (for example Blackberry related certAnonymous
June 01, 2015
Trying to monitor URLs with different time fram.. Can someone help out please??
jrfuste - looks like you have done more work on this..Anonymous
February 07, 2016
Hi,
Does this script requires any online CA or it will check local machine certificates.Anonymous
February 08, 2016
Do I need to change value in param..... pls post some example where to change and also update in blog