Certificate Monitor

Certificate Monitor

Monitors all certificates in Root, AuthRoot, CA, and Personal("My") certificate stores. Provides status the 10 soonest to expire certificates per store that expire within next 60 days. If none expire within that window then it presents the earliest to expire certificate for that store and presents how many days to expire. Monitor status is critical when a certificate is found to expire within next 60 days.  Monitoring for the "My" certificate store is included but disabled as this store may contain a ridiculous amount of certificates and most likely none that matter. The "My" certificate store is also the local computer store's "Personal" store. "My" is the technical name the computer uses to reference the "Personal" store.

If you want to monitor the Personal ("My") store, use the following steps

  1. Edit the "Certificate Monitor"
    1. 2016-03-28_11-21-17.png
  2. Select the "Personal ("My") Monitor", then select Enable
    1. 2016-03-28_11-21-41.png

If you need help making changes to the template to alter the expiration window, use the following steps

  1. Edit the "Certificate Monitor"
    1. 2016-03-28_11-21-17.png.
  2. Select the Component and Select "Edit Script" for that component
    1. 2016-03-28_11-29-09.png
  3. Update the value for "$intThreshold", default is 60 which is 60 days. If you want to be notified sooner then update it to 90 or greater. If you want to be notified later or closer to date of expiration use 30 or 15.
    1. 2016-03-28_11-29-42.png

This monitor is only good for Windows Servers but you can monitor some Linux certificates using the SSL Expiration monitor.

UPDATE (2018-12-19) - Revision 9

     Wow, that took a long time to correct...The Personal ("My") Store was incorrectly using the CA store in the code, which would have required a change on your part to correct. I feel bad about that. I updated the monitor to      correctly use the My store for that monitor. Thank you tangles​ for letting me know!

UPDATE (2016-03-28) - Revision 6

     Now you can monitor the Personal ("My") Store! Included detailed instructions on how to enable a component or update the threshold for when you are warned of an expiring certificate.

UPDATE (2016-02-01) - Revision 5

     Bug fix. Comparison logic was inverse. I fixed the issue.

UPDATE (2016-02-01) - Revision 3

     You need to be able to edit the script to change the following values. Its rather straight forward but if anyone has any questions. Please let me know!

  • Update the threshold!
    • Current value is 60 days but you can make it whatever you want and it updates comparison values and verbiage in alerts
  • Exclude certificates using certificate subject names
    • You can exclude as many as you want but try to be specific to reduce chance of a false positive
    • Uses "Contains" comparison model so you don't have to supply the entire subject name
    • Current value is excluding "Verisign" so certificates that contain the name "Verisign" in the subject name are not monitored in this release.
      • If you need to monitor "Verisign" certificates, then comment out this line or delete the name within the quotes.
Parents
  • Sure. Let me clarify that I at least was able to create an alert that provided the name of the certificate. Still working on trying to get some sort of widget.

    I created an alert on the specific components in the template, with a status of "Critical", as that is how the monitor template is set to trigger.

    Capture.PNG

    Now, I only wanted an email notification and nothing too complex at the moment, so I created a E-mail Trigger action with the following variables:

    Capture1.PNG

    Obviously you can use whatever variables you need, but I found these at least gave me the name of the alerting server along with the certificate set to expire. You can view these variables by changing the variable list from "Global" to "Component" when the insert variable window pops up. I recommend changing the previewed node at the bottom of this window to give you the exact variables you need.

    Below is an example output from the alert being triggered and an email being sent. I have adjusted our template to monitor for certificates expiring within (90) days. For this test, I had to bump the expiration range to 1828 days for the alert to trigger and everything to prove itself. The alert worked perfectly. I created a reset trigger as well that basically just states the alerting server no longer has any outdated certificates. It resets when the condition is no longer true.

    pastedImage_3.png

    I know it's nothing too crazy, but it get's the job done now for the amount of time I had to get this in place.

    If anyone figures out a widget though before I do, please share.

Comment
  • Sure. Let me clarify that I at least was able to create an alert that provided the name of the certificate. Still working on trying to get some sort of widget.

    I created an alert on the specific components in the template, with a status of "Critical", as that is how the monitor template is set to trigger.

    Capture.PNG

    Now, I only wanted an email notification and nothing too complex at the moment, so I created a E-mail Trigger action with the following variables:

    Capture1.PNG

    Obviously you can use whatever variables you need, but I found these at least gave me the name of the alerting server along with the certificate set to expire. You can view these variables by changing the variable list from "Global" to "Component" when the insert variable window pops up. I recommend changing the previewed node at the bottom of this window to give you the exact variables you need.

    Below is an example output from the alert being triggered and an email being sent. I have adjusted our template to monitor for certificates expiring within (90) days. For this test, I had to bump the expiration range to 1828 days for the alert to trigger and everything to prove itself. The alert worked perfectly. I created a reset trigger as well that basically just states the alerting server no longer has any outdated certificates. It resets when the condition is no longer true.

    pastedImage_3.png

    I know it's nothing too crazy, but it get's the job done now for the amount of time I had to get this in place.

    If anyone figures out a widget though before I do, please share.

Children