Is it possible to monitor machine certificates of Windows Server?

This may be possible by running a script with a custom sensor but cannot be done natively with PRTG. I found some information about a script that may work here and here

I've tried this sensor using the -h=hostname -t=(long thumbprint) but all I get back in invalid store. Does anyone have an example of how this one works?

A public demo of all PRTG Tools Family Sensors can be found here.

The comments tab of the individual sensors will show you the parameters used.

Trying this sensor again, I've used the parameters: -h=localhost -t=3db81b03e2d4c99c22e7167fa42e17e9d3b99b27

Now I receive the message: Certificate not found

If I browse the machine under: Console Root\Certificates (Local Computer)\Personal\Certificates I do have a certificate installed

I wonder if my problem is not the data store name? It's located under Peronal but that's not one of the listed ones in the ReadMe file.

Thoughts?

Please try adding parameter

-s=My

We are trying to look at a certificate that is stored on our domain controllers that we use for the purpose of LDAPS. It is located Certificates - Service (Active Directory Domain Services) in
server\NTDS\Personal. Can we use this to look at that cert?

Hi, want to attend this thread.

On our Win 2008 r2 server I also get every lookup with WinCertExpiration "Certificate not found." It doesn't matter if I look in the AuthStore or in the CertificateAuthority

What I want to do: Monitor Certificates in the follwing stores: - (Local Computer) --> Personal --> Certificates - (Local Computer) --> Trusted Root Certification Authorities - (Local Computer) --> Intermediate Certification Authorities

Any ideas how to monitor those certs witg PRTG?

When targetting a remote computer (not being the probe) please make sure that the Remote Registry Service is running on the target computer.

For debugging purposes, the latest version of the sensor has an additional switch -l that you can use to list all certificates that the sensor can target on the given host.

-l Optional switch to list the certificates in all stores
   on the given host.(For testing from the command line only) 

The console output will than look something like this

14.4.1
Checking user store
Checking local machine store
Store name: AddressBook
Store name: AuthRoot
SECOM Trust Systems CO LTD, Thumbprint=FEB8C432DCF9769ACEAE3DD8908FFD288665647D
Hellenic Academic and Research Institutions RootCA 2011, Thumbprint=FE45659B79035B98A161B5512EACDA580948224D
D-TRUST GmbH, Thumbprint=FD1ED1E2021B0B9F73E8EB75CE23436BBCC746EB
certSIGN Root CA, Thumbprint=FAB7EE36972662FB2DB02AF6BF03FDE87C4B2F9B
Spanish Property & Commerce Registry CA, Thumbprint=FAAA27B8CAF5FDF5CDA98AC3378572E04CE8F2E0
VRK Gov. Root CA, Thumbprint=FAA7D9FB31B746F200A85E65797613D816E063B5
CertEurope, Thumbprint=FA0882595F9CA6A11ECCBEAF65C764C0CCC311D0

Where in this case the user store for the given credentials does not exist and the machine store "Addressbook" is empty.

Hi,

I was able to implement WinCertExpiration as described above. The only thing I was wondering was the return value. In the readme.txt it says: Return value: The number of days left before the certificate expires.

In fact it returns the days with text around the number: The certificate expires in 3627 days.

Therefore I cannot trigger a warning or error. Any ideas?

Thanks Mike

Hello Mike, The PRTGToolsFamily's WinCertExpiration provides a channel called value which contains the value in days, you can configure channel limits and threshold based notifications using that channel/value.

For further questions, we're glad to help.

Running locally on the target server this query succeeds and returns the days remaining until expiration.

Running remotely, using the "-l", I can query the target server, but the output does not list my certificate/thumbprint.

Remote Registry service is started

Using MMC -> Certificates -> Current User -> Personal -> Certificates: I see my certificate.

How do I query this path remotely?

Local Query Successful:

WinCertExpiration.exe -h=%computername% -t=#################### -s=My -u=domain\serviceaccount -p=hashofserviceaccountpassword

Remote Query Unsuccessful:

WinCertExpiration.exe -h=%target_server% -t=#################### -s=My -u=domain\serviceaccount -p=hashofserviceaccountpassword
15.1.1.5
Connecting to certificate store LocalMachine/My on remote machine.
Enummerating certificates in My store...
Connecting to certificate store CurrentUser/My on remote machine.
Certificate not found.

Remote PRTG Host is WS12R2 Target is WS08R2

Hi Doug,

Using the -l switch on the remote query, are there any certificates listed at all? If the local query on the target machine is successful, would it be an option to install a remote probe on that machine?

Yes -l succeeds but appears to be returning only LocalComputer and not CurrentUser results. I've confirmed no difference whether i'm using -p=<hash> or -p=<password>. How do I force it to query/search CurrentUser\My ?

Thanks,

What I did, was simply create a standard SSL Cert Sensor, and putting the LDAPS port (636) in instead of 443. Works like a charm.

Not to beat a dead horse, but i'm attempting to monitor a certificate on my Skype for business edge server. i am having the same issue listed above in that i can query and return what i want locally, but not from the probe server. making this host a probe server is not an option for me, as this is a certificate only used by Skype I don't think i can just hit it on an alternate port number. Was the remote running of this script ever figured out?

Hello,

i was facing the same problem and solved it with an EXE/Script (Advanced) powershell sensor which i want to share with you.
Big thanks to Daniel Zobel [Paessler Support] whose windows ca monitoring script i used as a base.

Make sure you set the security context of the sensor to "Use Windows credentials of parent device" (and of course set them).

The script awaits only one parameter: -computername <fqdn>
Which is the fqdn of the system you want to monitor.

Param ($computername)

# declare script-wide variables
$script:starttime = Get-Date
$script:table = $null
$script:resultText = "OK"

function main
{
	$certificates = Invoke-Command -ComputerName $computername -ScriptBlock {
		Return Get-ChildItem Cert:\LocalMachine\My
	}

	foreach ($certificate in $certificates)
	{
		$row = $table.NewRow()
		$row.channel = $certificate.Subject
		$row.value = ($certificate.NotAfter - (Get-Date)).Days
		$row.unit = "Custom"
		$row.customUnit = "Days"
		$table.Rows.Add($row)
	}

        # add the execution-time to channels
	$row = $table.NewRow();
	$row.channel = "ExecutionTime";
	$row.unit = "TimeSeconds";
	$row.SpeedTime = "Second";
	$row.float = "1";
	$row.ShowChart = "0";
	$row.ShowTable = "0";
	$row.Value = "$([Math]::Round((new-timespan $starttime).totalseconds, 1))";
	$table.Rows.Add($row)
	# forward the generated table to xml-generator and store the result
	$retval = $table | New-Xml -RootTag prtg -ItemTag result -ChildItems Channel, Value, Unit, CustomUnit, Warning, Error, speedtime, volumesize, mode, showchart, showtable, float -ResultTag $resultText
	
	write-host $retval
}

function prepareResultTable
{
	# create a table to store the information only if not yet done
	# all available values predefined, in the result only the active values will apear
	if ($script:table -eq $null)
	{
		$script:table = New-Object system.Data.DataTable "result"
		$col1 = New-Object system.Data.DataColumn channel, string
		$col2 = New-Object system.Data.DataColumn value, string # a Integer or float value preconverted into a string!
		$col3 = New-Object system.Data.DataColumn unit, string # BytesBandwidth/BytesMemory/BytesDisk/Temperature/Percent/TimeResponse/TimeSeconds/Custom/Count/CPU (%)/BytesFile/SpeedDisk/SpeedNet/TimeHours
		$col4 = New-Object system.Data.DataColumn customUnit, string
		$col5 = New-Object system.Data.DataColumn warning, string # 0/1 (no/yes) 0
		$col6 = New-Object system.Data.DataColumn SpeedSize, string # One/Kilo/Mega/Giga/Tera/Byte/KiloByte/MegaByte/GigaByte/TeraByte/Bit/KiloBit/MegaBit/GigaBit/TeraBit
		$col7 = New-Object system.Data.DataColumn VolumeSize, string # siehe Speedsize
		$col8 = New-Object system.Data.DataColumn SpeedTime, string # Second/Minute/Hour/Day
		$col9 = New-Object system.Data.DataColumn Mode, string # Absolute/Difference
		$col10 = New-Object system.Data.DataColumn ShowChart, string # 0/1 (no/yes) 1
		$col11 = New-Object system.Data.DataColumn ShowTable, string # 0/1 (no/yes) 1
		$col12 = New-Object system.Data.DataColumn Float, string # 0/1 (no integer/yes float) 0
		
		$table.columns.add($($col1))
		$table.columns.add($($col2))
		$table.columns.add($($col3))
		$table.columns.add($($col4))
		$table.columns.add($($col5))
		$table.columns.add($($col6))
		$table.columns.add($($col7))
		$table.columns.add($($col8))
		$table.columns.add($($col9))
		$table.columns.add($($col10))
		$table.columns.add($($col11))
		$table.columns.add($($col12))
	}
}

# this function produces a well-formated xml-output out of a given table
function New-Xml
{
	param ($RootTag = "ROOT",
		$ItemTag = "ITEM",
		$ChildItems = "*",
		$resultTag,
		$Attributes = $Null)
	
	Begin
	{
		$xml = "<$RootTag>`n"
	}
	
	Process
	{
		$xml += "  <$ItemTag>`n"
		
		foreach ($child in $_ | Get-Member -Type *Property $childItems)
		{
			$Name = $child.Name
			if ("$($_.$name)" -ne "")
			{
				$xml += "    <$Name>$($_.$Name)</$Name>`n"
			}
		}
		$xml += "  </$ItemTag>`n"
	}
	
	End
	{
		if ([string]$resultTag -ne $false)
		{
			$xml += "  <text>$resultTag</text>`n"
		}
		$xml += "</$RootTag>`n"
		$xml
	}
}

# print a xml-errormessage
function printErrorXml($errortext = $script:resultText)
{
	$errorXml = "<prtg>`n"
	$errorXml += "  <error>1</error>`n"
	$errorXml += "  <text>$errortext</text>`n"
	$errorXml += "</prtg>`n"
	
	[System.Console]::WriteLine($errorXml)
	disconnect($session)
	exit
}

prepareResultTable

main

exit

@mwarth Thanks for sharing! :)

Hey https://kb.paessler.com/users/PRTGToolsFamily I can get the winertexpiration sensor working using a privileged account but would like to make it work with a least privileged account. What permissions do you recommend for me to set on the local machine I am trying to monitor? Cheers heaps Dean

Hi deantichborne,

There are some examples to be found on how to grand acces to a certificate for a user account.
But to be honest, I would not go there...

As often, Google is your friend...

https://stackoverflow.com/questions/4945687/how-to-grant-an-account-permissions-to-access-a-certificate

https://blogs.msmvps.com/luisabreu/blog/2010/09/13/grant-access-to-certificate-s-private-key-in-iis-7-5/

Sensors | Multi Channel Sensors | Tools | Notifications

Kind regards,

PRTG Tools Family

@mwarth: thanks for sharing this script. it helped a lot.

I wanted to let you know that it fails on domain controllers, which use a “modern” Kerberos Authentication certificate template to get their LDAP certificate. The result is “XML: The channel name must not be empty. (code: PE242)"

Why? Because the RFC3280 standard dictates that the subject name field should be empty

https://docs.microsoft.com/en-gb/archive/blogs/askds/third-party-application-fails-using-ldap-over-ssl

with an empty subject name in the certificate, the script returns a result set without a channel name:

<prtg> <result> <value>336</value> <unit>Custom</unit> <customUnit>Days</customUnit> <limitMinError>1</limitMinError> <limitMinWarning>14</limitMinWarning> <limitMode>1</limitMode> </result>

Compare to a different certificate that has a subject name: <prtg> <result> <channel>CN=SRV004NT.sit.local</channel> <value>144</value> <unit>Custom</unit> <customUnit>Days</customUnit> <limitMinError>1</limitMinError> <limitMinWarning>14</limitMinWarning> <limitMode>1</limitMode> </result>

To fix this: the check script should be adapted to read the subject alternative name instead. here is the relevant part of the script that i modified based on this info: https://mcselles.wordpress.com/2016/02/22/display-subject-alternative-names-of-a-certificate-with-powershell/

foreach ($certificate in $certificates)
	{
		$row = $table.NewRow()
		$row.channel = $certificate.Subject
		if ([string]::IsNullOrEmpty($certificate.Subject))
		{
			$sanExt=$certificate.Extensions | Where-Object {$_.Oid.FriendlyName -match "subject alternative name"}            
			$sanObjs = new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames            
			$altNamesStr=[System.Convert]::ToBase64String($sanExt.RawData)            
			$sanObjs.InitializeDecode(1, $altNamesStr)            
			$SAN = $sanObjs.AlternativeNames[0]
			$row.channel = $SAN.strValue
		}
		$row.value = ($certificate.NotAfter - (Get-Date)).Days
		$row.unit = "Custom"
		$row.customUnit = "Days"
		$row.limitMinError = 1
		$row.limitMinWarning = 14
		$row.limitMode = 1
		$table.Rows.Add($row)
	}

now the sensor also works on domain controller certificates. cheers

Hi,

WinCertExpiration.exe -h=servername -t=c29a0e983ddefddca148779b70254e9adf93b9d2 -s=My

Works fine if I run in PowerShell console, from different computers, with different accounts, but display the error "Certificate not found" in PRTG.

All this because I had not changed "Use Windows credentials of parent device" setting.

I would suggest to improve the post, to say first use the sensor "Exe/Script" sensor and that setting too. It would have saved me much time.

Hi Yann,

Using the "Windows credentials of parent device" will work (if you have them set).
You can also use the -u= and -p= parameters as described above

Hello, I've tried the sensor for our domain controllers (source was our monitoring server) but it didn't find the certificates in the machine certificate store.

WinCertExpiration.exe -h=host.domain -u=domain\user -p=hash -t=thumbprint 16.3.1.6 Connecting to certificate store LocalMachine/Root on remote machine. Enummerating certificates in Root store........................ Connecting to certificate store CurrentUser/Root on remote machine. Certificate not found.

Is it possible to monitor them?

Update: I found the error. The certificate had no subject configured and was therefore not found. Thank you in advance.

Hello, does someone know an option to change the date and time format?

I have the problem, that the sensor does not work because the server got a different date and time format.

With german it works but not with hungarian for example.

Anybody the same issue or a solution for this?