Active Directory Certificate Services (ADCS) notification of certificates soon to expire
Last year I did a piece of work to replace our firm's 2003 Active Directory Certificate Authority with a new Server 2012 box. During the work I was asked if I could create notifications of manually issued certificates which were created against the web server certificate., which were soon to expire. This would allow the technical team time to plan the replacement of certs before they expired and took out a production system.
I downloaded and installed the Public Key Infrastructure PowerShell module from CodePlex, and this allowed me to utilize the Get-IssuedRequest cmdlet to return details of issued certificates.
Below is an example of the code used to return a list of certificates, due to expire in the next 3 months from the CA MyCA.Adatum.com which were issued against the WebServer Template.
Get-CertificationAuthority "MyCA.Adatum.Com" | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer","NotAfter -ge $(Get-Date)", "NotAfter -le $((Get-Date).AddMonths(3))" | Sort-Object NotAfter
I embedded this into the code below, which when run on a CA, returns the results, formats them as a HTML email and sends them to the team. FYI I am not a developer so you will have to excuse my syntax and structure.
NB THIS CODE IS PROVIDED 'AS-IS', WITHOUT ANY EXPRESS OR IMPLIED WARRANTY. IN NO EVENT WILL THE AUTHOR BE HELD LIABLE FOR ANY DAMAGES ARISING FROM THE USE OF THIS SOFTWARE.
#Get input strings
param(
[string] $computername = "$ENV:COMPUTERNAME",
[string] $reportfile = "$ENV:USERPROFILE\Desktop\acert_certificate_expiration_report.html"
)
#Send mail function
Function send_mail([string]$message,[string]$subject) {
$emailFrom = "Certificate_Reports@adatum.com"
$emailTo = "ittechnical@adatum.com"
$smtpServer = "SMTP.Adatum.com"
Send-MailMessage -SmtpServer $smtpServer -To $emailTo -From $emailFrom -Subject $subject -Body $message -BodyAsHtml -Priority High
}
#Import PSPKI Module
if(Get-Module -ListAvailable -Name PSPKI | Where-Object { $_.name -eq "PSPKI" })
{
#Import PSPKI PowerShell module
if(Get-Module -Name PSPKI | Where-Object { $_.name -eq "PSPKI" })
{
Write-Host "PSPKI PowerShell module already imported…" -ForegroundColor "Yellow"
}
else
{
Write-Host "Importing PSPKI PowerShell module…" -ForegroundColor "Yellow"
Import-Module -Name PSPKI
}
Write-Host
#Set variables
Write-Host "Setting variables…" -ForegroundColor "Yellow"
Write-Host
$caname = $computername.ToLower()
$domaindns = $ENV:USERDNSDOMAIN.ToLower()
$todaysdate = Get-Date
$htmlpre = " - Generated by user: $ENV:USERNAME</P><P>The following certificates issued against the Webserver Template expire in the next 3 months.</P>"
$htmlpost = "<P>Certificate expiration information retrived from $caname.$domaindns</P></span>"
$htmltitle = "Certificate expiration information from $caname.$domaindns"
$style = '<style>BODY{font-family: Arial; font-size: 10pt;}'
$style = $style + 'TABLE{border: 1px solid black; border-collapse: collapse;}'
$style = $style + 'TH{border: 1px solid black; background: #dddddd; padding: 5px; }'
$style = $style + 'TD{border: 1px solid black; padding: 5px; }'
$style = $style + '</style>'
$htmlinput = Get-CertificationAuthority "$caname.$domaindns" | Get-IssuedRequest -Filter "CertificateTemplate -eq WebServer","NotAfter -ge $(Get-Date)", "NotAfter -le $((Get-Date).AddMonths(3))" | Sort-Object NotAfter
#Generate report
Write-Host "Generating report…" -ForegroundColor "Yellow"
Write-Host
$htmlinput | ConvertTo-Html -head $style -Body (Get-Date -format dd/MM/yyyy) -Property RequestID,RequesterName,CommonName,NotBefore,NotAfter,SerialNumber -Pre $htmlpre -Post $htmlpost | Out-File -FilePath $reportfile
$message = gc $reportfile
$ReportDate = Get-Date -format dd/MM/yyyy
#Send report by email
send_mail $message "Certificate Expiration Report $ReportDate ($caname)"
#Warning if PSPKI is not installed
}
else
{
Write-Host "PSPKI is not installed. Please install it from http://pspki.codeplex.com/ " -ForegroundColor "Yellow"
Write-Host
}
I have then created a weekly scheduled task to run the code so the team automatically receive an email each week as per below.
