A reader sent me a message asking how to modify the original CA monitoring script I wrote back in November so that instead of monitoring the pending requests, it would send a message based on expiring certificates. The answer is just a modification to the certutil command that was used in the original script. The new script also allows you to specify the number of days advanced notification you are looking for, the default is 30 days. Just keep in mind that if you run this script once a day, you will receive a notification every day until the certificate is either revoked/superseded or the certificate is passed the time period specified. Of course this is all irrelevant if you have the money to spend on SCOM which can do this with one of the released management packs.
The modified certutil command looks a bit like this:
certutil -view -restrict "NotAfter>=8/9/2010,NotAfter<=9/9/2010" -out "Request ID, Request Submission Date, Request Common Name, Requester Name, Request Email Address, Request Distinguished Name, CertificateTemplate, NotAfter" -config "<CA_SERVER_NAME>\<CA_NAME>"
This will return to you all of the certificates that are scheduled to expire between today (August 9th, 2010) and 30 days from now (September 9th, 2010)
You can download the new script here: Download monitor_ca_expiry.ps1
Update: Thanks to Aaron (from New Mexico? the original reader) who noticed I forgot one really useful bit of information from the status report that displays when you run the command: the date of expiration for the certificate. I have updated the script and the sample above to reflect the change.
Rolling out a certificate authority in Windows 2003 and Windows 2008 is a relatively trivial task if you are deploying a stand-alone CA, Enterprise CA’s are a bit more complex, but that’s a post for another day. The web interface (http://server.domain.local/certsrv/) is pretty limited and doesn’t provide the greatest interface for manually requesting certificates, it even relies on cookies for managing requests. It would be really nice to see Microsoft build this into a truly useful application like what you get with the Thawte Certificate Center.
One thing that is a bit frustrating is that even when you have the logging options fully enabled for the CA, events aren’t logged for new certificate requests so you have to manually check the server on a regular basis for outstanding requests. Usually this is a low priority kind of service in your enterprise and can get neglected, which has happened in my case a few times.
This neglect prompted me to write the following Powershell script which very simply uses certutil to check if there are any pending requests, and then fire off an email to a list of users if there are. This script could also be easily modified to check for revoked certificates or to generate a weekly report on existing certificates to monitor expiration dates, among a bunch of other things, however I really only needed this for requests so that’s all it does for right now. If anyone has any interest in something else, let me know and I’ll see about updating the script to include additional features.
To use this script, all you need to do is ensure you have a copy of certutil on the machine running this, update the configurable pieces of the script, then create a scheduled task to run it every hour or so, or whatever time-frame is appropriate for you and your organization.
More information and a download link is after the break…