Certificate Authority Request Monitoring with Powershell
Rolling out a certificate authority in Windows 2003 and Windows 2008 is a relatively trivial task if you are deploying a stand-alone CA, Enterprise CA’s are a bit more complex, but that’s a post for another day. The web interface (http://server.domain.local/certsrv/) is pretty limited and doesn’t provide the greatest interface for manually requesting certificates, it even relies on cookies for managing requests. It would be really nice to see Microsoft build this into a truly useful application like what you get with the Thawte Certificate Center.
One thing that is a bit frustrating is that even when you have the logging options fully enabled for the CA, events aren’t logged for new certificate requests so you have to manually check the server on a regular basis for outstanding requests. Usually this is a low priority kind of service in your enterprise and can get neglected, which has happened in my case a few times.
This neglect prompted me to write the following Powershell script which very simply uses certutil to check if there are any pending requests, and then fire off an email to a list of users if there are. This script could also be easily modified to check for revoked certificates or to generate a weekly report on existing certificates to monitor expiration dates, among a bunch of other things, however I really only needed this for requests so that’s all it does for right now. If anyone has any interest in something else, let me know and I’ll see about updating the script to include additional features.
To use this script, all you need to do is ensure you have a copy of certutil on the machine running this, update the configurable pieces of the script, then create a scheduled task to run it every hour or so, or whatever time-frame is appropriate for you and your organization.
More information and a download link is after the break…
The script uses a very simple function of certutil to check for pending requests. You can execute the following code from a command prompt or powershell prompt to see a list of existing pending requests.
certutil -view -out "Request ID, Request Submission Date, Request Common Name, Requester Name, Request Email Address, Request Distinguished Name, CertificateTemplate, Request Disposition" -Restrict "Request Disposition=9" -config "<CA_SERVER_NAME>\<CA_NAME>"
Basically what this is doing is it is telling certutil to check for any certificates where the request dispoition is 9, in other words, any pending certificate requests. It then outputs a few usefull properties related to the certificates. All you need to change is the part with “\” to include the valid server and name.
Note: You can omit the entire “-config “<CA_SERVER_NAME>\<CA_NAME>”” piece if you are running this locally from the CA server and only want to retrieve the local information.
For the full powershell script, click the download link here: Download monitor_ca_requests.ps1