What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Is it possible to monitor machine certificates of Windows Server?

Votes:

0

How can we monitor the expiration time of computer certificates on windows machines? e.g. the computer certificate from a Domain Controller. We are not talking about HTTPS certificates from web sites.

certificate expiration machine

Created on May 7, 2013 10:44:04 AM



Best Answer

Accepted Answer

Votes:

1

PTF.WinCertExpiration

This is possible with new Custom Sensor WinCertExpiration.

This sensor returns the number of days before your certificate expires and takes the following parameters:

-h=   The hostname or ip-address the certificate is installed on.
-t=   The thumbprint of the certificate to check.
-s=   Optional the certificate store name (see below).
      default=Root.")
-u=   Optional Domain\Username of a user account allowed to check te certificate.
-p=   Optional Password or passhash * of a user account allowed to check te certificate.

(*) Use the PassHash Tool to generate a passhash from the usersaccounts password.

Note that the CurrentUser Store depends on the credentials used, using the -u= and -p= parameters.

valid Certificate Store Names
AddressBook
AuthRoot
CertificateAuthority
Disallowed
My
Root
TrustedPeople
TrustedPublisher

The sensor can be downloaded from http://prtgtoolsfamily.com/downloads/sensors (WinCertExpiration)

Created on May 10, 2013 9:10:06 AM

Last change on Oct 27, 2016 6:30:41 AM by  Stephan Linke [Paessler Support]



25 Replies

Votes:

1

This may be possible by running a script with a custom sensor but cannot be done natively with PRTG. I found some information about a script that may work here and here

Created on May 8, 2013 2:18:10 PM by  Greg Campion [Paessler Support]



Accepted Answer

Votes:

1

PTF.WinCertExpiration

This is possible with new Custom Sensor WinCertExpiration.

This sensor returns the number of days before your certificate expires and takes the following parameters:

-h=   The hostname or ip-address the certificate is installed on.
-t=   The thumbprint of the certificate to check.
-s=   Optional the certificate store name (see below).
      default=Root.")
-u=   Optional Domain\Username of a user account allowed to check te certificate.
-p=   Optional Password or passhash * of a user account allowed to check te certificate.

(*) Use the PassHash Tool to generate a passhash from the usersaccounts password.

Note that the CurrentUser Store depends on the credentials used, using the -u= and -p= parameters.

valid Certificate Store Names
AddressBook
AuthRoot
CertificateAuthority
Disallowed
My
Root
TrustedPeople
TrustedPublisher

The sensor can be downloaded from http://prtgtoolsfamily.com/downloads/sensors (WinCertExpiration)

Created on May 10, 2013 9:10:06 AM

Last change on Oct 27, 2016 6:30:41 AM by  Stephan Linke [Paessler Support]



Votes:

0

I've tried this sensor using the -h=hostname -t=(long thumbprint) but all I get back in invalid store. Does anyone have an example of how this one works?

Created on Jun 5, 2014 7:16:16 PM



Votes:

0

A public demo of all PRTG Tools Family Sensors can be found here.

The comments tab of the individual sensors will show you the parameters used.

Created on Jun 9, 2014 10:49:11 AM



Votes:

0

Trying this sensor again, I've used the parameters: -h=localhost -t=3db81b03e2d4c99c22e7167fa42e17e9d3b99b27

Now I receive the message: Certificate not found

If I browse the machine under: Console Root\Certificates (Local Computer)\Personal\Certificates I do have a certificate installed

I wonder if my problem is not the data store name? It's located under Peronal but that's not one of the listed ones in the ReadMe file.

Thoughts?

Created on Aug 25, 2014 7:30:48 PM



Votes:

0

Please try adding parameter

-s=My

Created on Aug 26, 2014 7:39:28 AM



Votes:

0

We are trying to look at a certificate that is stored on our domain controllers that we use for the purpose of LDAPS. It is located Certificates - Service (Active Directory Domain Services) in
server\NTDS\Personal. Can we use this to look at that cert?

Created on Sep 8, 2014 3:28:52 AM



Votes:

0

Hi, want to attend this thread.

On our Win 2008 r2 server I also get every lookup with WinCertExpiration "Certificate not found." It doesn't matter if I look in the AuthStore or in the CertificateAuthority

What I want to do: Monitor Certificates in the follwing stores: - (Local Computer) --> Personal --> Certificates - (Local Computer) --> Trusted Root Certification Authorities - (Local Computer) --> Intermediate Certification Authorities

Any ideas how to monitor those certs witg PRTG?

Created on Dec 4, 2014 10:03:38 AM



Votes:

0

When targetting a remote computer (not being the probe) please make sure that the Remote Registry Service is running on the target computer.

For debugging purposes, the latest version of the sensor has an additional switch -l that you can use to list all certificates that the sensor can target on the given host.

-l Optional switch to list the certificates in all stores
   on the given host.(For testing from the command line only) 

The console output will than look something like this

14.4.1
Checking user store
Checking local machine store
Store name: AddressBook
Store name: AuthRoot
SECOM Trust Systems CO LTD, Thumbprint=FEB8C432DCF9769ACEAE3DD8908FFD288665647D
Hellenic Academic and Research Institutions RootCA 2011, Thumbprint=FE45659B79035B98A161B5512EACDA580948224D
D-TRUST GmbH, Thumbprint=FD1ED1E2021B0B9F73E8EB75CE23436BBCC746EB
certSIGN Root CA, Thumbprint=FAB7EE36972662FB2DB02AF6BF03FDE87C4B2F9B
Spanish Property & Commerce Registry CA, Thumbprint=FAAA27B8CAF5FDF5CDA98AC3378572E04CE8F2E0
VRK Gov. Root CA, Thumbprint=FAA7D9FB31B746F200A85E65797613D816E063B5
CertEurope, Thumbprint=FA0882595F9CA6A11ECCBEAF65C764C0CCC311D0

Where in this case the user store for the given credentials does not exist and the machine store "Addressbook" is empty.

Created on Dec 5, 2014 11:20:09 AM



Votes:

0

Hi,

I was able to implement WinCertExpiration as described above. The only thing I was wondering was the return value. In the readme.txt it says: Return value: The number of days left before the certificate expires.

In fact it returns the days with text around the number: The certificate expires in 3627 days.

Therefore I cannot trigger a warning or error. Any ideas?

Thanks Mike

Created on Aug 18, 2015 8:12:20 AM



Votes:

0

Hello Mike, The PRTGToolsFamily's WinCertExpiration provides a channel called value which contains the value in days, you can configure channel limits and threshold based notifications using that channel/value.

For further questions, we're glad to help.

Created on Aug 18, 2015 9:32:06 AM by  Luciano Lingnau [Paessler]

Last change on Aug 18, 2015 9:33:18 AM by  Luciano Lingnau [Paessler]



Votes:

0

Running locally on the target server this query succeeds and returns the days remaining until expiration.

Running remotely, using the "-l", I can query the target server, but the output does not list my certificate/thumbprint.

Remote Registry service is started

Using MMC -> Certificates -> Current User -> Personal -> Certificates: I see my certificate.

How do I query this path remotely?

Local Query Successful:

WinCertExpiration.exe -h=%computername% -t=#################### -s=My -u=domain\serviceaccount -p=hashofserviceaccountpassword

Remote Query Unsuccessful:

WinCertExpiration.exe -h=%target_server% -t=#################### -s=My -u=domain\serviceaccount -p=hashofserviceaccountpassword
15.1.1.5
Connecting to certificate store LocalMachine/My on remote machine.
Enummerating certificates in My store...
Connecting to certificate store CurrentUser/My on remote machine.
Certificate not found.

Remote PRTG Host is WS12R2 Target is WS08R2

Created on Apr 19, 2016 8:23:37 PM

Last change on Apr 20, 2016 5:47:45 AM by  Luciano Lingnau [Paessler]



Votes:

0

Hi Doug,

Using the -l switch on the remote query, are there any certificates listed at all? If the local query on the target machine is successful, would it be an option to install a remote probe on that machine?

Created on Apr 20, 2016 8:14:03 AM



Votes:

0

Yes -l succeeds but appears to be returning only LocalComputer and not CurrentUser results. I've confirmed no difference whether i'm using -p=<hash> or -p=<password>. How do I force it to query/search CurrentUser\My ?

Thanks,

Created on Apr 21, 2016 5:32:39 PM



Votes:

3

What I did, was simply create a standard SSL Cert Sensor, and putting the LDAPS port (636) in instead of 443. Works like a charm.

Created on Jul 11, 2017 10:55:52 AM



Votes:

0

Not to beat a dead horse, but i'm attempting to monitor a certificate on my Skype for business edge server. i am having the same issue listed above in that i can query and return what i want locally, but not from the probe server. making this host a probe server is not an option for me, as this is a certificate only used by Skype I don't think i can just hit it on an alternate port number. Was the remote running of this script ever figured out?

Created on Oct 16, 2019 12:41:33 PM



Votes:

2

Hello,

i was facing the same problem and solved it with an EXE/Script (Advanced) powershell sensor which i want to share with you.
Big thanks to Daniel Zobel [Paessler Support] whose windows ca monitoring script i used as a base.

Make sure you set the security context of the sensor to "Use Windows credentials of parent device" (and of course set them).

The script awaits only one parameter: -computername <fqdn>
Which is the fqdn of the system you want to monitor.

Param ($computername)

# declare script-wide variables
$script:starttime = Get-Date
$script:table = $null
$script:resultText = "OK"

function main
{
	$certificates = Invoke-Command -ComputerName $computername -ScriptBlock {
		Return Get-ChildItem Cert:\LocalMachine\My
	}

	foreach ($certificate in $certificates)
	{
		$row = $table.NewRow()
		$row.channel = $certificate.Subject
		$row.value = ($certificate.NotAfter - (Get-Date)).Days
		$row.unit = "Custom"
		$row.customUnit = "Days"
		$table.Rows.Add($row)
	}

        # add the execution-time to channels
	$row = $table.NewRow();
	$row.channel = "ExecutionTime";
	$row.unit = "TimeSeconds";
	$row.SpeedTime = "Second";
	$row.float = "1";
	$row.ShowChart = "0";
	$row.ShowTable = "0";
	$row.Value = "$([Math]::Round((new-timespan $starttime).totalseconds, 1))";
	$table.Rows.Add($row)
	# forward the generated table to xml-generator and store the result
	$retval = $table | New-Xml -RootTag prtg -ItemTag result -ChildItems Channel, Value, Unit, CustomUnit, Warning, Error, speedtime, volumesize, mode, showchart, showtable, float -ResultTag $resultText
	
	write-host $retval
}

function prepareResultTable
{
	# create a table to store the information only if not yet done
	# all available values predefined, in the result only the active values will apear
	if ($script:table -eq $null)
	{
		$script:table = New-Object system.Data.DataTable "result"
		$col1 = New-Object system.Data.DataColumn channel, string
		$col2 = New-Object system.Data.DataColumn value, string # a Integer or float value preconverted into a string!
		$col3 = New-Object system.Data.DataColumn unit, string # BytesBandwidth/BytesMemory/BytesDisk/Temperature/Percent/TimeResponse/TimeSeconds/Custom/Count/CPU (%)/BytesFile/SpeedDisk/SpeedNet/TimeHours
		$col4 = New-Object system.Data.DataColumn customUnit, string
		$col5 = New-Object system.Data.DataColumn warning, string # 0/1 (no/yes) 0
		$col6 = New-Object system.Data.DataColumn SpeedSize, string # One/Kilo/Mega/Giga/Tera/Byte/KiloByte/MegaByte/GigaByte/TeraByte/Bit/KiloBit/MegaBit/GigaBit/TeraBit
		$col7 = New-Object system.Data.DataColumn VolumeSize, string # siehe Speedsize
		$col8 = New-Object system.Data.DataColumn SpeedTime, string # Second/Minute/Hour/Day
		$col9 = New-Object system.Data.DataColumn Mode, string # Absolute/Difference
		$col10 = New-Object system.Data.DataColumn ShowChart, string # 0/1 (no/yes) 1
		$col11 = New-Object system.Data.DataColumn ShowTable, string # 0/1 (no/yes) 1
		$col12 = New-Object system.Data.DataColumn Float, string # 0/1 (no integer/yes float) 0
		
		$table.columns.add($($col1))
		$table.columns.add($($col2))
		$table.columns.add($($col3))
		$table.columns.add($($col4))
		$table.columns.add($($col5))
		$table.columns.add($($col6))
		$table.columns.add($($col7))
		$table.columns.add($($col8))
		$table.columns.add($($col9))
		$table.columns.add($($col10))
		$table.columns.add($($col11))
		$table.columns.add($($col12))
	}
}

# this function produces a well-formated xml-output out of a given table
function New-Xml
{
	param ($RootTag = "ROOT",
		$ItemTag = "ITEM",
		$ChildItems = "*",
		$resultTag,
		$Attributes = $Null)
	
	Begin
	{
		$xml = "<$RootTag>`n"
	}
	
	Process
	{
		$xml += "  <$ItemTag>`n"
		
		foreach ($child in $_ | Get-Member -Type *Property $childItems)
		{
			$Name = $child.Name
			if ("$($_.$name)" -ne "")
			{
				$xml += "    <$Name>$($_.$Name)</$Name>`n"
			}
		}
		$xml += "  </$ItemTag>`n"
	}
	
	End
	{
		if ([string]$resultTag -ne $false)
		{
			$xml += "  <text>$resultTag</text>`n"
		}
		$xml += "</$RootTag>`n"
		$xml
	}
}

# print a xml-errormessage
function printErrorXml($errortext = $script:resultText)
{
	$errorXml = "<prtg>`n"
	$errorXml += "  <error>1</error>`n"
	$errorXml += "  <text>$errortext</text>`n"
	$errorXml += "</prtg>`n"
	
	[System.Console]::WriteLine($errorXml)
	disconnect($session)
	exit
}

prepareResultTable

main

exit

Created on Dec 5, 2019 6:50:12 AM



Votes:

0

@mwarth Thanks for sharing! :)

Created on Dec 6, 2019 1:00:03 PM by  Stephan Linke [Paessler Support]



Votes:

0

Hey https://kb.paessler.com/users/PRTGToolsFamily I can get the winertexpiration sensor working using a privileged account but would like to make it work with a least privileged account. What permissions do you recommend for me to set on the local machine I am trying to monitor? Cheers heaps Dean

Created on Dec 30, 2019 6:17:34 AM

Last change on Dec 30, 2019 6:17:34 AM



Votes:

0

Hi deantichborne,

There are some examples to be found on how to grand acces to a certificate for a user account.
But to be honest, I would not go there...

As often, Google is your friend...

https://stackoverflow.com/questions/4945687/how-to-grant-an-account-permissions-to-access-a-certificate

https://blogs.msmvps.com/luisabreu/blog/2010/09/13/grant-access-to-certificate-s-private-key-in-iis-7-5/


Sensors | Multi Channel Sensors | Tools | Notifications

Kind regards,

[[http://prtgtoolsfamily.com]] PRTG Tools Family

Created on Dec 30, 2019 8:23:33 AM



Votes:

1

@mwarth: thanks for sharing this script. it helped a lot.

I wanted to let you know that it fails on domain controllers, which use a “modern” Kerberos Authentication certificate template to get their LDAP certificate. The result is “XML: The channel name must not be empty. (code: PE242)"

Why? Because the RFC3280 standard dictates that the subject name field should be empty

https://docs.microsoft.com/en-gb/archive/blogs/askds/third-party-application-fails-using-ldap-over-ssl

with an empty subject name in the certificate, the script returns a result set without a channel name:

<prtg> <result> <value>336</value> <unit>Custom</unit> <customUnit>Days</customUnit> <limitMinError>1</limitMinError> <limitMinWarning>14</limitMinWarning> <limitMode>1</limitMode> </result>

Compare to a different certificate that has a subject name: <prtg> <result> <channel>CN=SRV004NT.sit.local</channel> <value>144</value> <unit>Custom</unit> <customUnit>Days</customUnit> <limitMinError>1</limitMinError> <limitMinWarning>14</limitMinWarning> <limitMode>1</limitMode> </result>

To fix this: the check script should be adapted to read the subject alternative name instead. here is the relevant part of the script that i modified based on this info: https://mcselles.wordpress.com/2016/02/22/display-subject-alternative-names-of-a-certificate-with-powershell/

foreach ($certificate in $certificates)
	{
		$row = $table.NewRow()
		$row.channel = $certificate.Subject
		if ([string]::IsNullOrEmpty($certificate.Subject))
		{
			$sanExt=$certificate.Extensions | Where-Object {$_.Oid.FriendlyName -match "subject alternative name"}            
			$sanObjs = new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames            
			$altNamesStr=[System.Convert]::ToBase64String($sanExt.RawData)            
			$sanObjs.InitializeDecode(1, $altNamesStr)            
			$SAN = $sanObjs.AlternativeNames[0]
			$row.channel = $SAN.strValue
		}
		$row.value = ($certificate.NotAfter - (Get-Date)).Days
		$row.unit = "Custom"
		$row.customUnit = "Days"
		$row.limitMinError = 1
		$row.limitMinWarning = 14
		$row.limitMode = 1
		$table.Rows.Add($row)
	}

now the sensor also works on domain controller certificates. cheers

Created on Apr 28, 2020 7:26:38 PM



Votes:

0

Hi,

WinCertExpiration.exe -h=servername -t=c29a0e983ddefddca148779b70254e9adf93b9d2 -s=My

Works fine if I run in PowerShell console, from different computers, with different accounts, but display the error "Certificate not found" in PRTG.

All this because I had not changed "Use Windows credentials of parent device" setting.

I would suggest to improve the post, to say first use the sensor "Exe/Script" sensor and that setting too. It would have saved me much time.

Created on May 14, 2020 9:03:15 AM



Votes:

0

Hi Yann,

Using the "Windows credentials of parent device" will work (if you have them set).
You can also use the -u= and -p= parameters as described above

Created on May 14, 2020 12:35:01 PM



Votes:

0

Hello, I've tried the sensor for our domain controllers (source was our monitoring server) but it didn't find the certificates in the machine certificate store.

WinCertExpiration.exe -h=host.domain -u=domain\user -p=hash -t=thumbprint 16.3.1.6 Connecting to certificate store LocalMachine/Root on remote machine. Enummerating certificates in Root store........................ Connecting to certificate store CurrentUser/Root on remote machine. Certificate not found.

Is it possible to monitor them?

Update: I found the error. The certificate had no subject configured and was therefore not found. Thank you in advance.

Created on Jun 4, 2020 6:16:01 AM

Last change on Jun 5, 2020 10:59:38 AM by  Isidora Jeremic [Paessler Support]



Votes:

0

Hello, does someone know an option to change the date and time format?

I have the problem, that the sensor does not work because the server got a different date and time format.

With german it works but not with hungarian for example.

Anybody the same issue or a solution for this?

Created on Jul 12, 2022 8:40:28 AM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.