cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Certificate Monitor

Certificate Monitor

Monitors all certificates in Root, AuthRoot, CA, and Personal("My") certificate stores. Provides status the 10 soonest to expire certificates per store that expire within next 60 days. If none expire within that window then it presents the earliest to expire certificate for that store and presents how many days to expire. Monitor status is critical when a certificate is found to expire within next 60 days.  Monitoring for the "My" certificate store is included but disabled as this store may contain a ridiculous amount of certificates and most likely none that matter. The "My" certificate store is also the local computer store's "Personal" store. "My" is the technical name the computer uses to reference the "Personal" store.

If you want to monitor the Personal ("My") store, use the following steps

  1. Edit the "Certificate Monitor"
    1. 2016-03-28_11-21-17.png
  2. Select the "Personal ("My") Monitor", then select Enable
    1. 2016-03-28_11-21-41.png

If you need help making changes to the template to alter the expiration window, use the following steps

  1. Edit the "Certificate Monitor"
    1. 2016-03-28_11-21-17.png.
  2. Select the Component and Select "Edit Script" for that component
    1. 2016-03-28_11-29-09.png
  3. Update the value for "$intThreshold", default is 60 which is 60 days. If you want to be notified sooner then update it to 90 or greater. If you want to be notified later or closer to date of expiration use 30 or 15.
    1. 2016-03-28_11-29-42.png

This monitor is only good for Windows Servers but you can monitor some Linux certificates using the SSL Expiration monitor.

UPDATE (2018-12-19) - Revision 9

     Wow, that took a long time to correct...The Personal ("My") Store was incorrectly using the CA store in the code, which would have required a change on your part to correct. I feel bad about that. I updated the monitor to      correctly use the My store for that monitor. Thank you tangles​ for letting me know!

UPDATE (2016-03-28) - Revision 6

     Now you can monitor the Personal ("My") Store! Included detailed instructions on how to enable a component or update the threshold for when you are warned of an expiring certificate.

UPDATE (2016-02-01) - Revision 5

     Bug fix. Comparison logic was inverse. I fixed the issue.

UPDATE (2016-02-01) - Revision 3

     You need to be able to edit the script to change the following values. Its rather straight forward but if anyone has any questions. Please let me know!

  • Update the threshold!
    • Current value is 60 days but you can make it whatever you want and it updates comparison values and verbiage in alerts
  • Exclude certificates using certificate subject names
    • You can exclude as many as you want but try to be specific to reduce chance of a false positive
    • Uses "Contains" comparison model so you don't have to supply the entire subject name
    • Current value is excluding "Verisign" so certificates that contain the name "Verisign" in the subject name are not monitored in this release.
      • If you need to monitor "Verisign" certificates, then comment out this line or delete the name within the quotes.
Labels (1)
Attachments
Comments

I just installed this and tested it against a node that I know has an expiring certificate in the Local Computer > Personal store, but when I tested the monitor against the node, it found no certificates expiring in the next 60 days.

Hello!

This monitor does the following, per the description, "Monitors Root, AuthRoot, and CA certificate stores. Provides status on up to 10 certificates per store that expire within next 60 days."

I decided to not monitor the personal because it can contain a lot of weird certs. If you want to monitor the personal, you can though! Edit the script that monitors root, search for "root" and replace with "my" , then save and test the monitor.

Let me know how that works out!

EDIT:

I edited this so that if anyone else views this comment they update the script correctly. I edited "personal" and replaced it with "my". Thank you tangles

How difficult do you think it would be to copy the "Root" and duplicate that to add the "Personal" store so we can have both?

I took a stab at trying this myself, by copying all of the lines for the Root certificate (lines 47-406) and pasting them into a new document, where I could do a replace all (replace root with personal) and then paste it back into the original template at the end of the Root section (line 407)

I then also edited the Tags section to add:

   <TagInfo>
   <Name>personal</Name>
   <TemplateID>238</TemplateID>
  

</TagInfo>

Imported the script, and tested it against a machine (WNSVRMGT) that I know has an expiring cert, and it gave me results that it was checking the store, but that it didn't find any certs expiring in 60 days.

wnsvrmgt_personal.jpg

Also, looking over your template script, I see the following line:

$exludeCerts = "Verisign"

Should that not be $excludeCerts?

I got this to work by replacing the PowerShell logic to use "My" instead of "Personal"  I also changed all of the <ID> numbers in the <DynamicEvidenceColumnSchema> section to a unique number (since there would be duplicates in the Root and Personal sections.)  I'm not sure if that was a necessary check or not, but when I went to test the new template against that node it was showing me the expiring cert in the Personal store!

Now I just need to configure alerting so we get emailed upon an "error"

This is great!

Great work!!

You should feel awesome working that out!

Thankfully I misspelled the value everywhere the same so it works. I probably will not update this just to fix a misspelling but if there are any bugs or features to add, then I would fix the misspelling with the release too.

Serco, this looks promising for my environment, question though...

You mention it can only monitor up to 10 certs.  Can it look for more than 10?  I will be installing possibly more than 10 in the Personal aka "My" Store, and need to monitor them all.

Thanks

  -Steve

Hey Steve,

This will monitor all certs in each cert store but only display the top 10 soonest to expire. I will update the description to make that more clear, as it reads right now, its not.

Paul

Awesome.  Thank you.

Hi Guys,

i have tried using the template and i was receiving the following error when testing the template to our server. Can you assist with the error.

pastedImage_0.png

Hello,

The account you are using in SolarWinds does not have the proper permissions on the windows computer you are attempting to access.

You can test the Certificate Monitor from its settings page.

  1. Select "Root Certificate"
  2. Select "Set Test Node", use the pop-up window to select a server by its hostname or ip
  3. Use the "Credential for Monitoring" setting to select which account you will use to access the selected "Test Node". This account must have permissions to be able to access the windows device and read the certificate stores for the local computer
    1. This is very important, the account you used does not have permissions to access the certificate store for the local computer.
  4. This section will show the status of the test

2016-04-12_4-53-09.png

Hi, Serco.

Thanks for the detailed instruction. When i tried it i got the successful result. by the way certificate on the server will expired in couple of days but the result show "No certificate will expire"

pastedImage_1.png

Excellent.

That's the root certificate store. The certificate you are looking for may be in one of the other stores  AuthRoot, CA, or Personal("My")

I've successfully imported this awesome template, but I cannot get an alert to fire. Our filters on the component and application Advanced Alerts are pretty wide open, so there's no suppression involved.  Anyone know where I should be looking to see why the alert did not fire?

2016-10-20 12_36_22-Start.png

I am getting the following error.

Output: ==============================================

Message.0 : No Certificate Will Expire within next 60 days.

Statistic.0 : 730

Errors: ==============================================

Exception calling "Open" with "1" argument(s): "The network path was not found.

"

At line:14 char:19

+ $objStore.open <<<< ("ReadOnly")

  + CategoryInfo : NotSpecified: (:) [], MethodInvocationException

  + FullyQualifiedErrorId : DotNetMethodException

This is exactly what I needed, works perfectly in my environment. I didnt need to tweak anything at all. Thanks!

I am glad you find this monitor useful!

If you are still having issues with the Alert triggering, you may want to create a customer Alert just for this monitor. If that is not possible, please provide some more details.

Are you still having an issue?

The account you are using the read the certificate stores my not have local administrator rights on the windows desktop or server. See ralph.pineda​ comment above, this is the same issue they had.

Awesome, I appreciate the kind comment and I am glad the monitor is useful!

I had an older version of the template which was working fine, and then I noticed it wasn't polling the personal store. I removed and re-imported the template, enabled the Personal feature and applied to the desired nodes. However, now I see in the server application event log "Application "Certificate Monitor" on node "servername" is in an unknown state". What did I do wrong?

Great Template.

The Personal Store script did not work out of the box when I had imported into our environment. I noticed that the line in question

  $objStore = new-object System.Security.Cryptography.X509Certificates.X509Store("\\${IP}\CA","LocalMachine")

was actually looking at the CA Store and not the "MY" Personal store as it should, I just changed the CA to MY and then the out messaging was correct. I am now just setting it up to send us an email notification alert that if this happens.

Thanks a bunch for the template.

Really super-useful Template - thanks!

Could you give me a hint how to trigger based on the possible multiple return values (and messages)?

What confuses me is:

- The script may return 1 to 10 return values depending on how many certs are < 60 days

- Different Alert trigger Fields exist for the script component (e.g. Multi Value Statistics)

- The output of this Field is in Format [index]:[value] e.g. "0:723" or "1:59"... - so it is not possible to create "less than" triggers

- Then there is a Field called "Statistic Data (Numeric) (Multiple) with output format as integer, but I do not know if this triggers on any multiple return value with index 0 to 9

How can I crate an alert that triggers on any index return value going < 60 ?

Thanks for help!

Spot on! This restored functionality for the Personal store. Thank you!

Template works great.

Is there a way to create an alert from this so that an email gets sent out when a certificate expires in 60 days?

The application/component status should go to warning or critical based on the thresholds you define in the template.

pastedImage_0.png

I think it is not that easy.

The scripts delivers from 1 to 10 possible return values (we do not know), depending on how many certs are < 60 days.

A standard multi-value alert trigger would only trigger once, when the first cert expiration date goes under 60 days.

E.g. if another cert reaches the script threshold two days later, the alert is already triggered and so no further emails are sent.

Only if the alert is cleared (when the expiration issue is solved) another cert expiration can trigger the alert.

I am still searching for a solution of the problem - maybe the template has to be adapted to make reasonable alert triggers possible...

I have added this template in SAM, However, dont know how to monitor certificates in my local certificate authority.

I have enabled the Personal and modify the date to 45, did not get any alert.

Could you please guide how to add certificate authority to monitor. Thanks

Bump... What variables are you folks using if you have an email alert tied to this?

${N=SwisEntity;M=ApplicationAlert.ComponentsWithStatus}

${N=SwisEntity;M=ApplicationAlert.ComponentsWithStatusFormatted}

${N=SwisEntity;M=ApplicationAlert.ComponentsWithStatusFormattedHtml}

All of these return the same result:

AuthRoot Certificate(Up)

AuthRoot Certificate(Up)

AuthRoot Certificate(Up)

However I have values returned from the monitor which indicates there is a cert expiring within the time period.

The hard part is getting the app owners to let me install the Agent on their servers so we can enable AppInsight

Hi all, has anyone got a solution for the following:

We've renewed the Issuing CA's cert but the monitor is still alerting because the old cert is still due to expire. We don't want to delete the old cert in case it breaks a cert chain somewhere else.

Is there any logic that checks if there's a newer cert already in the store and maybe issue a warning rather than critical alert?

NB. The new cert has the same name but we've upped the signature algorithm.

Thanks!

Hello,

This seems to work great in my environment, the issue I face is when alerting, when I was adding the monitor, I had two certificates expiring on a server and both in the same store, during the test I got an output that had Message 0/Statistic 0 and Message 1/Statistic 1. On creating the alert to be triggered when the component/application is down, I get an alert only for the certificate that is in Message 0/Statistic 0 and do not get the Message 1/Statistic 1 certificate expiry alert. Is there a way that I could both in the same alert as I understand another alert cannot be created when the active alert is not reset!

For now I have added a new application with the same script and excluded the first certificates name so that it would trigger for the second. This seemed okay when on a few servers, but now I am planning on having this done for the whole environment and I wouldn't be able to exclude certificates as the number will be huge.

Any idea on how I can have this done?

TIA

Malcolm.

My savior

Hi, Noob question does the statistic means days left before the certificate to expired?

pastedImage_1.png

Correct! The next certificate to expire will be in 290 days

What variable do I set to show the statistic to be the days until it expires?

The returned value for this monitor is equal to the amount of days until the certificate expires.

So I the only change I made to the script was the $intThreshold. I changed it to 60 so that when a cert expires in less than 60 days, we get a notification. However, the statistic shows whatever this is set to:

else {

      If (!$dateExpireDays){

        $dateExpireDays = 730

      }

Is there another variable $dateExpireDays needs to be set to? It was initially set to an integer.

Hey, Hopefully you still check this!

is it possible to add the results of this check to a dashboard widget?  I've got a NOC view that shows high Memory, CPU, Disk usage, nodes down etc and being able to have this on it too would be great.

You should be able to add a resource to your view that allows you to display the value of a Universal Device Poller, there are many to choose from!

pastedImage_0.png

Hey thanks for the reply!

how are you getting to that window? this is what i get... or am i in totally the wrong place?

Capture.PNG

What version of NPM are you running? The screenshot I posted is from NPM 12.2 Previous versions will look like the screenshot you posted

Two questions,

(1) Has anyone successfully created an alert for this template that emails the name of the expiring certificate?

(2) Successfully created a widget that displays the name of the certificates and or dates of expiration?

I have the template imported and monitoring successfully. Just not sure how to create an alert for this monitor based on the values returned. Well, an alert that gives me the name of the certificate anyways.

Thanks!

Edit: I ended up figuring this out on my own.

Please share your solution! I am interested in how you accomplished this

Sure. Let me clarify that I at least was able to create an alert that provided the name of the certificate. Still working on trying to get some sort of widget.

I created an alert on the specific components in the template, with a status of "Critical", as that is how the monitor template is set to trigger.

Capture.PNG

Now, I only wanted an email notification and nothing too complex at the moment, so I created a E-mail Trigger action with the following variables:

Capture1.PNG

Obviously you can use whatever variables you need, but I found these at least gave me the name of the alerting server along with the certificate set to expire. You can view these variables by changing the variable list from "Global" to "Component" when the insert variable window pops up. I recommend changing the previewed node at the bottom of this window to give you the exact variables you need.

Below is an example output from the alert being triggered and an email being sent. I have adjusted our template to monitor for certificates expiring within (90) days. For this test, I had to bump the expiration range to 1828 days for the alert to trigger and everything to prove itself. The alert worked perfectly. I created a reset trigger as well that basically just states the alerting server no longer has any outdated certificates. It resets when the condition is no longer true.

pastedImage_3.png

I know it's nothing too crazy, but it get's the job done now for the amount of time I had to get this in place.

If anyone figures out a widget though before I do, please share.

Very nice. I could never figure out how to get this to work. I was alerting on the Application instead of the Component, thanks for pointing that out!

Some very useful information on this page. Thanks to serco.paul and nickzourdos.

Here is something I couldn't figure out. When I change the warning and critical thresholds, it does not impact on the status of the component. It remains in Critical state. I want this component to go into Warning state if the number of days to expire are over 100 and Critical when the value is over 200 days.

Currently $intThreshold has been set to 300.

pastedImage_1.png

Component status:

pastedImage_0.png

You'll want to change the threshold to "less than". Right now the thresholds are configured to alert when the returned value is greater than 100/200. This means that the component will be warning/critical if any of your certificates expire in over 100/200 days.

Version history
Revision #:
1 of 1
Last update:
‎08-11-2015 06:03 AM
Updated by: