OpsMgr: Monitoring Certificate Expiry with a Powershell-based Monitor
This post focuses on the Powershell-based monitor created in my first post to find and alert on certificates that are about to expire on managed computers. This monitor was created from the “Create a Unit Monitor” wizard as demonstrated in my first post.
For this Powershell-based unit monitor, the following values were used in General Properties.
Note: This monitor targets the Windows Server 2008 Computer class, and hence will be distributed to agents running on Windows 2008 servers.
Polling frequency was set to 3 minutes for testing purposes. This value can be changed anytime based on preference.
The command to find certificates that are about to expire from the Hey, Scripting Guy ! Blog , was used in the Powershell script of this monitor and the script was modified to return its output in a Propertybag.
Here is the script used:
sl cert:
$thresholdindays = 1000
$ExpiredCerts = Get-ChildItem -Recurse | where { $_.notafter -le (get-date).AddDays($thresholdindays)-AND $_.notafter -gt (get-date)} | select thumbprint, subject
$API = new-object -comObject "MOM.ScriptAPI"
$PropertyBag = $API.CreatePropertyBag()
if($ExpiredCerts.Length -gt 0) {
$OFS = "`r`n"
$result1 = [system.String]::Join($ofs, $ExpiredCerts)
$result2 = [string]$result1
$result2 = $result2 -replace "@{", ""
$result2 = $result2 -replace "}", ""
$PropertyBag.AddValue("State","ERROR")
$PropertyBag.AddValue("Description", "Expired Certificates: " + $result2)
}
else {
$PropertyBag.AddValue("State","OK")
$PropertyBag.AddValue("Description", "ALL GOOD !!")
}
sl $currentlocation
$PropertyBag
Building expressions based on the value in the Propertybag and mapping monitor conditions to health states were very straight forward as follows.
The Expression Builder Pages builds expression that looks for a particular value from the Propertybag that the data source outputs (Property[@Name='State'] ).
The name of the value in the Propertybag was specified in the alert context variable: $Data/Context/Property[@Name='Description']$
To force an alert, set the threshold to a high value like 1000 days ( $thresholdindays = 1000). Here is an example of the active alert generated and the state change recorded:
Attached with this post are both the certificate expiry monitor management pack (TakeAWei.Certificate.Expiry.Monitor.Management.Pack.xml) and the sealed library management pack being referenced. Both management packs will need to be imported together via the Operations Console.
Disclaimer:
All information on this blog is provided on an as-is basis with no warranties and for informational purposes only. Use at your own risk. The opinions and views expressed in this blog are those of the author and do not necessarily state or reflect those of my employer.
Comments
Anonymous
October 03, 2013
Very cool and helpful!Anonymous
October 09, 2013
Do you use Authoring Extension with Visual Studio 2012/2013 ?Anonymous
May 12, 2015
This is the PowerShell 3.0 way to do it. This also targets just the Computer's Personal certificate store. $thresholdindays = '90' $ExpiredCerts = Get-ChildItem -Path Cert:LocalMachineMy -ExpiringInDays $thresholdindays | Select-Object Subject,NotAfter,Thumbprint $API = new-object -comObject "MOM.ScriptAPI" $PropertyBag = $API.CreatePropertyBag() if($ExpiredCerts.Thumbprint.Length -gt 0) { $OFS = "rn" $result1 = [system.String]::Join($ofs, $ExpiredCerts) $result2 = [string]$result1 $result2 = $result2 -replace "@{", "" $result2 = $result2 -replace "}", "" $PropertyBag.AddValue("State","ERROR") $PropertyBag.AddValue("Description", "Expiring Certificates: " + $result2) } else { $PropertyBag.AddValue("State","OK") $PropertyBag.AddValue("Description", "ALL GOOD !!") } sl $currentlocation $PropertyBagAnonymous
May 19, 2015
On Windows server 2008 R2 boxes, I'm not getting the $results2 to return in the description. I walked though the script and all seems fine. The monitor gives the correct description on a 2012 R2 server. What gives?