How can we monitor the expiration time of computer certificates on windows machines? e.g. the computer certificate from a Domain Controller. We are not talking about HTTPS certificates from web sites.
Is it possible to monitor machine certificates of Windows Server?
Votes:
0
Best Answer
Votes:
1
PTF.WinCertExpiration
This is possible with new Custom Sensor WinCertExpiration.
This sensor returns the number of days before your certificate expires and takes the following parameters:
-h= The hostname or ip-address the certificate is installed on. -t= The thumbprint of the certificate to check. -s= Optional the certificate store name (see below). default=Root.") -u= Optional Domain\Username of a user account allowed to check te certificate. -p= Optional Password or passhash * of a user account allowed to check te certificate.
(*) Use the PassHash Tool to generate a passhash from the usersaccounts password.
Note that the CurrentUser Store depends on the credentials used, using the -u= and -p= parameters.
valid Certificate Store Names |
---|
AddressBook |
AuthRoot |
CertificateAuthority |
Disallowed |
My |
Root |
TrustedPeople |
TrustedPublisher |
The sensor can be downloaded from http://prtgtoolsfamily.com/downloads/sensors (WinCertExpiration)
Created on May 10, 2013 9:10:06 AM
Last change on Oct 27, 2016 6:30:41 AM by
Stephan Linke [Paessler Support]
25 Replies
Votes:
1
Votes:
1
PTF.WinCertExpiration
This is possible with new Custom Sensor WinCertExpiration.
This sensor returns the number of days before your certificate expires and takes the following parameters:
-h= The hostname or ip-address the certificate is installed on. -t= The thumbprint of the certificate to check. -s= Optional the certificate store name (see below). default=Root.") -u= Optional Domain\Username of a user account allowed to check te certificate. -p= Optional Password or passhash * of a user account allowed to check te certificate.
(*) Use the PassHash Tool to generate a passhash from the usersaccounts password.
Note that the CurrentUser Store depends on the credentials used, using the -u= and -p= parameters.
valid Certificate Store Names |
---|
AddressBook |
AuthRoot |
CertificateAuthority |
Disallowed |
My |
Root |
TrustedPeople |
TrustedPublisher |
The sensor can be downloaded from http://prtgtoolsfamily.com/downloads/sensors (WinCertExpiration)
Created on May 10, 2013 9:10:06 AM
Last change on Oct 27, 2016 6:30:41 AM by
Stephan Linke [Paessler Support]
Votes:
0
I've tried this sensor using the -h=hostname -t=(long thumbprint) but all I get back in invalid store. Does anyone have an example of how this one works?
Votes:
0
A public demo of all PRTG Tools Family Sensors can be found here.
The comments tab of the individual sensors will show you the parameters used.
Votes:
0
Trying this sensor again, I've used the parameters: -h=localhost -t=3db81b03e2d4c99c22e7167fa42e17e9d3b99b27
Now I receive the message: Certificate not found
If I browse the machine under: Console Root\Certificates (Local Computer)\Personal\Certificates I do have a certificate installed
I wonder if my problem is not the data store name? It's located under Peronal but that's not one of the listed ones in the ReadMe file.
Thoughts?
Votes:
0
We are trying to look at a certificate that is stored on our domain controllers that we use for the purpose of LDAPS. It is located Certificates - Service (Active Directory Domain Services) in
server\NTDS\Personal. Can we use this to look at that cert?
Votes:
0
Hi, want to attend this thread.
On our Win 2008 r2 server I also get every lookup with WinCertExpiration "Certificate not found." It doesn't matter if I look in the AuthStore or in the CertificateAuthority
What I want to do: Monitor Certificates in the follwing stores: - (Local Computer) --> Personal --> Certificates - (Local Computer) --> Trusted Root Certification Authorities - (Local Computer) --> Intermediate Certification Authorities
Any ideas how to monitor those certs witg PRTG?
Votes:
0
When targetting a remote computer (not being the probe) please make sure that the Remote Registry Service is running on the target computer.
For debugging purposes, the latest version of the sensor has an additional switch -l that you can use to list all certificates that the sensor can target on the given host.
-l Optional switch to list the certificates in all stores on the given host.(For testing from the command line only)
The console output will than look something like this
14.4.1 Checking user store Checking local machine store Store name: AddressBook Store name: AuthRoot SECOM Trust Systems CO LTD, Thumbprint=FEB8C432DCF9769ACEAE3DD8908FFD288665647D Hellenic Academic and Research Institutions RootCA 2011, Thumbprint=FE45659B79035B98A161B5512EACDA580948224D D-TRUST GmbH, Thumbprint=FD1ED1E2021B0B9F73E8EB75CE23436BBCC746EB certSIGN Root CA, Thumbprint=FAB7EE36972662FB2DB02AF6BF03FDE87C4B2F9B Spanish Property & Commerce Registry CA, Thumbprint=FAAA27B8CAF5FDF5CDA98AC3378572E04CE8F2E0 VRK Gov. Root CA, Thumbprint=FAA7D9FB31B746F200A85E65797613D816E063B5 CertEurope, Thumbprint=FA0882595F9CA6A11ECCBEAF65C764C0CCC311D0
Where in this case the user store for the given credentials does not exist and the machine store "Addressbook" is empty.
Votes:
0
Hi,
I was able to implement WinCertExpiration as described above. The only thing I was wondering was the return value. In the readme.txt it says: Return value: The number of days left before the certificate expires.
In fact it returns the days with text around the number: The certificate expires in 3627 days.
Therefore I cannot trigger a warning or error. Any ideas?
Thanks Mike
Votes:
0
Hello Mike, The PRTGToolsFamily's WinCertExpiration provides a channel called value which contains the value in days, you can configure channel limits and threshold based notifications using that channel/value.
For further questions, we're glad to help.
Created on Aug 18, 2015 9:32:06 AM by
Luciano Lingnau [Paessler]
Last change on Aug 18, 2015 9:33:18 AM by
Luciano Lingnau [Paessler]
Votes:
0
Running locally on the target server this query succeeds and returns the days remaining until expiration.
Running remotely, using the "-l", I can query the target server, but the output does not list my certificate/thumbprint.
Remote Registry service is started
Using MMC -> Certificates -> Current User -> Personal -> Certificates: I see my certificate.
How do I query this path remotely?
Local Query Successful:
WinCertExpiration.exe -h=%computername% -t=#################### -s=My -u=domain\serviceaccount -p=hashofserviceaccountpassword
Remote Query Unsuccessful:
WinCertExpiration.exe -h=%target_server% -t=#################### -s=My -u=domain\serviceaccount -p=hashofserviceaccountpassword 15.1.1.5 Connecting to certificate store LocalMachine/My on remote machine. Enummerating certificates in My store... Connecting to certificate store CurrentUser/My on remote machine. Certificate not found.
Remote PRTG Host is WS12R2 Target is WS08R2
Created on Apr 19, 2016 8:23:37 PM
Last change on Apr 20, 2016 5:47:45 AM by
Luciano Lingnau [Paessler]
Votes:
0
Hi Doug,
Using the -l switch on the remote query, are there any certificates listed at all? If the local query on the target machine is successful, would it be an option to install a remote probe on that machine?
Votes:
0
Yes -l succeeds but appears to be returning only LocalComputer and not CurrentUser results. I've confirmed no difference whether i'm using -p=<hash> or -p=<password>. How do I force it to query/search CurrentUser\My ?
Thanks,
Votes:
3
What I did, was simply create a standard SSL Cert Sensor, and putting the LDAPS port (636) in instead of 443. Works like a charm.
Votes:
0
Not to beat a dead horse, but i'm attempting to monitor a certificate on my Skype for business edge server. i am having the same issue listed above in that i can query and return what i want locally, but not from the probe server. making this host a probe server is not an option for me, as this is a certificate only used by Skype I don't think i can just hit it on an alternate port number. Was the remote running of this script ever figured out?
Votes:
2
Hello,
i was facing the same problem and solved it with an EXE/Script (Advanced) powershell sensor which i want to share with you.
Big thanks to Daniel Zobel [Paessler Support] whose windows ca monitoring script i used as a base.
Make sure you set the security context of the sensor to "Use Windows credentials of parent device" (and of course set them).
The script awaits only one parameter: -computername <fqdn>
Which is the fqdn of the system you want to monitor.
Param ($computername) # declare script-wide variables $script:starttime = Get-Date $script:table = $null $script:resultText = "OK" function main { $certificates = Invoke-Command -ComputerName $computername -ScriptBlock { Return Get-ChildItem Cert:\LocalMachine\My } foreach ($certificate in $certificates) { $row = $table.NewRow() $row.channel = $certificate.Subject $row.value = ($certificate.NotAfter - (Get-Date)).Days $row.unit = "Custom" $row.customUnit = "Days" $table.Rows.Add($row) } # add the execution-time to channels $row = $table.NewRow(); $row.channel = "ExecutionTime"; $row.unit = "TimeSeconds"; $row.SpeedTime = "Second"; $row.float = "1"; $row.ShowChart = "0"; $row.ShowTable = "0"; $row.Value = "$([Math]::Round((new-timespan $starttime).totalseconds, 1))"; $table.Rows.Add($row) # forward the generated table to xml-generator and store the result $retval = $table | New-Xml -RootTag prtg -ItemTag result -ChildItems Channel, Value, Unit, CustomUnit, Warning, Error, speedtime, volumesize, mode, showchart, showtable, float -ResultTag $resultText write-host $retval } function prepareResultTable { # create a table to store the information only if not yet done # all available values predefined, in the result only the active values will apear if ($script:table -eq $null) { $script:table = New-Object system.Data.DataTable "result" $col1 = New-Object system.Data.DataColumn channel, string $col2 = New-Object system.Data.DataColumn value, string # a Integer or float value preconverted into a string! $col3 = New-Object system.Data.DataColumn unit, string # BytesBandwidth/BytesMemory/BytesDisk/Temperature/Percent/TimeResponse/TimeSeconds/Custom/Count/CPU (%)/BytesFile/SpeedDisk/SpeedNet/TimeHours $col4 = New-Object system.Data.DataColumn customUnit, string $col5 = New-Object system.Data.DataColumn warning, string # 0/1 (no/yes) 0 $col6 = New-Object system.Data.DataColumn SpeedSize, string # One/Kilo/Mega/Giga/Tera/Byte/KiloByte/MegaByte/GigaByte/TeraByte/Bit/KiloBit/MegaBit/GigaBit/TeraBit $col7 = New-Object system.Data.DataColumn VolumeSize, string # siehe Speedsize $col8 = New-Object system.Data.DataColumn SpeedTime, string # Second/Minute/Hour/Day $col9 = New-Object system.Data.DataColumn Mode, string # Absolute/Difference $col10 = New-Object system.Data.DataColumn ShowChart, string # 0/1 (no/yes) 1 $col11 = New-Object system.Data.DataColumn ShowTable, string # 0/1 (no/yes) 1 $col12 = New-Object system.Data.DataColumn Float, string # 0/1 (no integer/yes float) 0 $table.columns.add($($col1)) $table.columns.add($($col2)) $table.columns.add($($col3)) $table.columns.add($($col4)) $table.columns.add($($col5)) $table.columns.add($($col6)) $table.columns.add($($col7)) $table.columns.add($($col8)) $table.columns.add($($col9)) $table.columns.add($($col10)) $table.columns.add($($col11)) $table.columns.add($($col12)) } } # this function produces a well-formated xml-output out of a given table function New-Xml { param ($RootTag = "ROOT", $ItemTag = "ITEM", $ChildItems = "*", $resultTag, $Attributes = $Null) Begin { $xml = "<$RootTag>`n" } Process { $xml += " <$ItemTag>`n" foreach ($child in $_ | Get-Member -Type *Property $childItems) { $Name = $child.Name if ("$($_.$name)" -ne "") { $xml += " <$Name>$($_.$Name)</$Name>`n" } } $xml += " </$ItemTag>`n" } End { if ([string]$resultTag -ne $false) { $xml += " <text>$resultTag</text>`n" } $xml += "</$RootTag>`n" $xml } } # print a xml-errormessage function printErrorXml($errortext = $script:resultText) { $errorXml = "<prtg>`n" $errorXml += " <error>1</error>`n" $errorXml += " <text>$errortext</text>`n" $errorXml += "</prtg>`n" [System.Console]::WriteLine($errorXml) disconnect($session) exit } prepareResultTable main exit
Votes:
0
@mwarth Thanks for sharing! :)
Votes:
0
Hey https://kb.paessler.com/users/PRTGToolsFamily I can get the winertexpiration sensor working using a privileged account but would like to make it work with a least privileged account. What permissions do you recommend for me to set on the local machine I am trying to monitor? Cheers heaps Dean
Votes:
0
Hi deantichborne,
There are some examples to be found on how to grand acces to a certificate for a user account.
But to be honest, I would not go there...
As often, Google is your friend...
https://stackoverflow.com/questions/4945687/how-to-grant-an-account-permissions-to-access-a-certificate
https://blogs.msmvps.com/luisabreu/blog/2010/09/13/grant-access-to-certificate-s-private-key-in-iis-7-5/
Sensors |
Multi Channel Sensors |
Tools |
Notifications
Kind regards,
PRTG Tools Family
Votes:
1
@mwarth: thanks for sharing this script. it helped a lot.
I wanted to let you know that it fails on domain controllers, which use a “modern” Kerberos Authentication certificate template to get their LDAP certificate. The result is “XML: The channel name must not be empty. (code: PE242)"
Why? Because the RFC3280 standard dictates that the subject name field should be empty
with an empty subject name in the certificate, the script returns a result set without a channel name:
<prtg> <result> <value>336</value> <unit>Custom</unit> <customUnit>Days</customUnit> <limitMinError>1</limitMinError> <limitMinWarning>14</limitMinWarning> <limitMode>1</limitMode> </result>
Compare to a different certificate that has a subject name: <prtg> <result> <channel>CN=SRV004NT.sit.local</channel> <value>144</value> <unit>Custom</unit> <customUnit>Days</customUnit> <limitMinError>1</limitMinError> <limitMinWarning>14</limitMinWarning> <limitMode>1</limitMode> </result>
To fix this: the check script should be adapted to read the subject alternative name instead. here is the relevant part of the script that i modified based on this info: https://mcselles.wordpress.com/2016/02/22/display-subject-alternative-names-of-a-certificate-with-powershell/
foreach ($certificate in $certificates) { $row = $table.NewRow() $row.channel = $certificate.Subject if ([string]::IsNullOrEmpty($certificate.Subject)) { $sanExt=$certificate.Extensions | Where-Object {$_.Oid.FriendlyName -match "subject alternative name"} $sanObjs = new-object -ComObject X509Enrollment.CX509ExtensionAlternativeNames $altNamesStr=[System.Convert]::ToBase64String($sanExt.RawData) $sanObjs.InitializeDecode(1, $altNamesStr) $SAN = $sanObjs.AlternativeNames[0] $row.channel = $SAN.strValue } $row.value = ($certificate.NotAfter - (Get-Date)).Days $row.unit = "Custom" $row.customUnit = "Days" $row.limitMinError = 1 $row.limitMinWarning = 14 $row.limitMode = 1 $table.Rows.Add($row) }
now the sensor also works on domain controller certificates. cheers
Votes:
0
Hi,
WinCertExpiration.exe -h=servername -t=c29a0e983ddefddca148779b70254e9adf93b9d2 -s=My
Works fine if I run in PowerShell console, from different computers, with different accounts, but display the error "Certificate not found" in PRTG.
All this because I had not changed "Use Windows credentials of parent device" setting.
I would suggest to improve the post, to say first use the sensor "Exe/Script" sensor and that setting too. It would have saved me much time.
Votes:
0
Hi Yann,
Using the "Windows credentials of parent device" will work (if you have them set).
You can also use the -u= and -p= parameters as described above
Votes:
0
Hello, I've tried the sensor for our domain controllers (source was our monitoring server) but it didn't find the certificates in the machine certificate store.
WinCertExpiration.exe -h=host.domain -u=domain\user -p=hash -t=thumbprint 16.3.1.6 Connecting to certificate store LocalMachine/Root on remote machine. Enummerating certificates in Root store........................ Connecting to certificate store CurrentUser/Root on remote machine. Certificate not found.
Is it possible to monitor them?
Update: I found the error. The certificate had no subject configured and was therefore not found. Thank you in advance.
Created on Jun 4, 2020 6:16:01 AM
Last change on Jun 5, 2020 10:59:38 AM by
Isidora Jeremic [Paessler Support]
Votes:
0
Hello, does someone know an option to change the date and time format?
I have the problem, that the sensor does not work because the server got a different date and time format.
With german it works but not with hungarian for example.
Anybody the same issue or a solution for this?
Add comment