PKI Certificate Verification Management Pack for SCOM 2012

Update June 22, 2015 – Version 1.3.0.0 now available for download.
Compatible with SCOM 2012 and SCOM 2012 R2 only.

NOTE: This update will only import on SCOM 2012 and later.
PKI Certificates serve to protect web sites by enabling SSL, secure cross-server communication and see many other uses.

The PKI Certificate Verification MP discovers PKI Certificates and Certificate Revocation Lists inside computers’ local certificate stores. It helps preventing service interruptions caused by invalid certificates by alerting when: 

– a certificate’s lifetime is about to expire
– a certificate’s lifetime has ended
– a certificate has become invalid because of a different reason
– a CRL has not been updated in a timely manner

The MP contains a full set of inventory reports to help you audit certificates. The included guide contains detailed instructions on how to configure the MP. Click the Download links at bottom to download the management pack archive.

The PKI Certificate Verification MP was a jointly developed by Raphael Burri, Pete Zerger and Jaime Correia, specifically for release on the SystemCenterCentral.com site.

An article on MP authoring by the same authors uses the PKI Certificate Verification MP as a sample to explain the concepts and procedures of writing a Management Pack. It is available on the site at the link below

MP Creation Zen: Part 1 – Concepts and Application Modeling

Change History

Changes between 1.2.1.3 (August 2014) and 1.3.0.0 (June 2015)

  • Added Tasks: Archive Certificate, List Certificate Properties, Disable/Enable Monitoring, Rediscover (in optional add-on MP)
  • Added Recoveries: Archive Certificate, Disable Monitoring
  • Added Discovery: Web Hosting certificate store (Server 2012 / 2012 R2)
  • Additional certificate property: Certificate Template. It is also listed on reports.
  • Discovery filter expanded to certificate template.
  • Alert description: Additional details on the certificate chain and SCOM action account used.
  • CRL Lifetime Monitor: Threshold is exposed as an overridable parameter.
  • CRL health roll up monitor added.
  • Expiring certificate view & report: Default threshold of 1 month may be overridden.
  • Views: Changed criteria on views to make them more reliable when using user scopes.
  • Reporting bug: Certificate inventory did not list all certificates.
  • Additional MP: Rediscovery Tasks. Immediate trigger of store content discovery after archive, disable/enable or rediscover tasks

Changes between 1.2.0.210 (April 2014) and 1.2.1.3 (August 2014)

  • Discovery Filter with include and exclude regular expression on certificate subject as well as on certificate and CRL issuer.
  • Discovery Filter on “Ehanced Key Usage”. By default the MP does no longer discover MS Network Access Protection certificates (napHealthyOid and napUnhealthyOid). Other OIDs may be excluded as well.
  • PowerShell compatibility monitor got triggered on 2012 (when no PoSh 1.0 key existed).
  • Using 1st certificate SAN as subject in case the subject is empty (not defined).

Changes between 1.0.1.20 (March 2012) and 1.2.0.210 (April 2014)

  •  re-written MP, main logic now based on a PowerShell instead of a VB script.
  •  full support for Windows Server 2012 (R2)
  •  dropped SCOM 2007 support (use the legacy version 1.0.1.20 if SCOM 2007 is still a requirement).
  •  support any system locale.
  •  advanced certificate validation overrides.

Changes between 1.0.1.15 (March 2011) and 1.0.1.20 (March 2012)

  • Corrected a discovery bug that would hit when a server’s locale was non-US and CA certificates were found in the store.
  • Fixed some spelling issues in display strings
  • Verified OpsMgr 2012 compatibility

 Changes between 1.0.0.288 (released Jun 17, 2010) and 1.0.1.15

  • Improved discovery of Issued to and Issued by properties: Will use Subject Alternative Name if certificate doesn’t have a subject and will correctly extract the subject if CN= isn’t encountered on the first line of the subject string.
  • Additional certificate property: CA Version (based on extension szOID_CERTSRV_CA_VERSION). If this property holds a value, that certificate is a Windows CA one.
  • Does no longer discover superseded CA certificates. Evaluation is based on the CA Version property. Additional override to change that behavior if required.
  • Monitors will not mark superseded CA certificates as expired if their discovery is enabled.
  • Expose script timeout as an overridable parameter
  • Changed alert priority to ‘Low’.
  • Broke upgrade path to avoid potential agent stale issues when upgrading from V 1.0.0.280 or earlier.

Changes between 1.0.0.280 (released April 19, 2010) and 1.0.0.280

  • Much more relaxed script timing
  • cook down safe timing override option
  • public certificate store data source (to add custom certificate stores)
  • better compatibility with legacy Operation Systems (2000 & 2003)
  • introduces a Release Notes document; which is a must read for updates from any previous release to 1.0.0.288!
Please read the release notes carefully before attempting an upgrade of any previously released version.
Download

The download consists of a zip archive with the management pack, guide, release notes plus examples:

Download: PKI Certificate MP 1.3.0.0 (SCOM 2012)

  • SHA-1: 5e13bd44bbd90519a4fcbc65321a69684fed0ab7

Download: PKI Certificate MP 1.0.1.20 (legacy SCOM 2007). Note that this version is no longer being developed.

  • SHA-1: 1753524A1A969572EFE0EE9E8301C9FECC83B0AF

176 thoughts on “PKI Certificate Verification Management Pack for SCOM 2012

  1. Profile photo of Henrik.M.Andersen

    Hi!

    It seems to be a really neat MP. Tou’ve just made the mistake to assume that people are using standard database names for datawarehouse.

    I get this alert when importing the MP:
    Data Warehouse failed to deploy database component. Failed to deploy Data Warehouse component. The operation will be retried. Exception ‘SqlScriptException’: Batch ordinal: 0; Exception: Could not locate entry in sysdatabases for database ‘OperationsManagerDW’. No entry found with that name. Make sure that the name is entered correctly. One or more workflows were affected by this. Workflow name:

    Regards Henrik

  2. Profile photo of Raphael BurriRaphael Burri Post author

    Hendrik

    Thanks for reporting this. I have uploaded version 1.0.0.242 which fixes the issue. There was a reference to the DB name which actually isn’t required.

    Raphael

  3. Profile photo of yeckto

    Hello, it´s a great MP, but i have tested it in my environment with 400 agents, and I think it has a important bug:
    The MP discovers archived certicates, and a lot of these are expired, of course.

    For example, this is the output to command: certutil -verifystore -v My:
    I have two certificates, the certificate 0 is Valid and not archived:
    ================ Certificate 0 ================
    X509 Certificate:
    Version: 3
    Serial Number: 1887b76c000200003991
    Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
    …….
    Certificate is valid
    ________________
    But the certificate 1 is archived and xpired and the MP discoveries and monitored
    ================ Certificate 1 ================
    Archived!
    X509 Certificate:
    Version: 3
    Serial Number: 308c642600020000134e
    Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
    …..
    ———————————–
    Expired certificate

    If you need more information, you can write me to joseramonsgªhotmail.com

  4. Profile photo of Henrik.M.Andersen

    Raphael: Thank you.

    For the lifespan monitoring it could be very nice with 2 thresholds: warning and critical

    I have also run into the “archived-problem”

  5. Profile photo of francisguilbaultfrancisguilbault

    Hi! Great MP, very usefull !! Question for you, my certificates – about to expire is empty ? Any idea ? When I try to run a report about it I’m getting the error : The ‘ColumnList’ parameter is missing a value.

    Regards

  6. Profile photo of Raphael BurriRaphael Burri Post author

    Francis, both the ‘Certificates – About to Expire’ view and the ‘Expiring Certificates’ report will only contain certificates that are going to expire within a month from now. If OpsMgr hasn’t discovered any of them, the view will be empty and the report will unfortunately throw the ‘ColumList’ error.

  7. Profile photo of Henrik.M.Andersen

    Hi Raphael

    Any clue on how-to troubleshoot PKI MP report. We installed the MP on our SP1-environment. The discovery and monitoring worked fine, the reporting didn’t work(error pop-up) We have now upgraded to R2 and now the reports runs without any errors, but are all empty (only headers are shown) I have a test environment where we did the same thing (Firs SP1 and the R2) and here the reports work fine.

    Henrik

  8. Profile photo of Raphael BurriRaphael Burri Post author

    Hendrik: The Reports are based on groups. Can you check of these groups (e.g. Valid Certificates) have been populated correctly? Also make sure you choose a reasonably large time window when running the report.

  9. Profile photo of Henrik.M.Andersen

    Hi Raphael Thank you for your reply. Most groups are populated (Valid Certificates,Expired Certificates or Expiring Certificates) The only one I’m not sure about is “Certificates required by Windows Group” That has no members.

    I installed the MP last month so I have triied with a timespan 01-09-2009 to 16-10-2010 The report runs fairly quick and returms with report header, stating that the report includes 29 objects(I choose 29 Stores) Btw it’s the Certifucate inventory report.

    Henrik

  10. Profile photo of Raphael BurriRaphael Burri Post author

    Hendrik – I have an idea what could be the cause but I’ll need you to run a couple of SQL queries. Could you drop me an email at: raburri (a) bluewin (dot) ch? So we can investigate the issue offline.

  11. Profile photo of Henrik.M.Andersen

    To finish this off – It turned out that the collation of the DB instance was a case sensitive one. The databases itself was the correct collation.

    Thank you Raphael for your effort and patience,

  12. Profile photo of Khue

    I have limited knowledge of compatibility between OpsMgr07 and 05. I would imagine that this MP is not compatible with 05, correct?

  13. Profile photo of Raphael BurriRaphael Burri Post author

    Khue
    Absolutely, a OpsMgr 2007 MP can not run on MOM 2005. While it is possible to convert a MOM 2005 one for OpsMgr 2007, the other way round is not supported. The two products actually have (technically speaking) very little in common.

  14. Profile photo of Sven WellsSven Wells

    Our groups are populated and I am able to open the State Views for, say , ‘Certificates – About to Expire’, however, when I attemp to run this from Reporting, I get the following error:

    “Date: 3/11/2010 7:41:38 AM

    Application: System Center Operations Manager 2007

    Application Version: 6.0.6278.0

    Severity: Error

    Message: Cannot update dependant parameters.

    Microsoft.Reporting.WinForms.ReportServerException: An error has occurred during report processing. (rsProcessingAborted) —> Microsoft.Reporting.WinForms.ReportServerException: Query execution failed for data set ‘ColumnList’. (rsErrorExecutingCommand) —> Microsoft.Reporting.WinForms.ReportServerException: Procedure or function Microsoft_SystemCenter_DataWarehouse_Report_Library_ReportColumnList has too many arguments specified.

    — End of inner exception stack trace —

    — End of inner exception stack trace —

    at Microsoft.Reporting.WinForms.ServerReport.SetParameters(IEnumerable`1 parameters)

    at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.Parameters.ReportParameterBlock.OnValueChangedJob(Object sender, ConsoleJobEventArgs args)

    Microsoft.Reporting.WinForms.ReportServerException: Query execution failed for data set ‘ColumnList’. (rsErrorExecutingCommand) —> Microsoft.Reporting.WinForms.ReportServerException: Procedure or function Microsoft_SystemCenter_DataWarehouse_Report_Library_ReportColumnList has too many arguments specified.

    — End of inner exception stack trace —

    Microsoft.Reporting.WinForms.ReportServerException: Procedure or function Microsoft_SystemCenter_DataWarehouse_Report_Library_ReportColumnList has too many arguments specified.”

    Any ideas on this?

    Thanks,

    Sven

  15. Profile photo of Raphael BurriRaphael Burri Post author

    Sven

    Sorry for the delay. Are you using SCOM SP1 or RTM by any chance? If yes, drop me an email on {raburri (at) bluewin (dot) ch} I might have the solution to your problem.

    Raphael

  16. Profile photo of Sven WellsSven Wells

    We attempted to upgrade v1.0.0.260 of this MP to v1.0.0.270. We realized we needed to Delete v1.0.0.260 of the MP prior to importing v1.0.0.270. After importing the v1.0.0.270 of the MP we started getting the following alerts from our RMS:

    Data Warehouse failed to deploy database component. Failed to deploy Data Warehouse component. The operation will be retried.

    Exception ‘SqlScriptException’: Batch ordinal: 2; Exception: There is already an object named ‘SystemCenterCentral_Utilities_Certificates_TwoGroupCustomConfigurationReportDataGet’ in the database.

    One or more workflows were affected by this.

    Workflow name: Microsoft.SystemCenter.DataWarehouse.Deployment.Component

    Instance name: rtprms01.americas.ppdi.local

    Instance ID: {5DE412EC-E51D-8DBA-0E8A-3AC5EE2BE221}

    Management group: US-MGMTGRP

    These alert correlate with Event ID 31565, which is why we are receiving these alerts. It seems there may be some residual component left in the DB from MP v1.0.0.260.

    I had to delete the MP v1.0.0.270 to stop these alerts from happening.

    Any ideas?

    Thanks,

    Sven

  17. Profile photo of Raphael BurriRaphael Burri Post author

    Hotspur, the MP will discover and monitor certificates in the local certificate stores of Windows Server 2000 through 2008 R2 servers. Please see the ‘Supported Configurations’ section of the MP guide for details.

  18. Profile photo of MutinoMutino

    We have an alert being generated with “The certificate is not valid until on or after 01/09/2009 01:00. “. Any idea what could be going wrong?

    The cert works fine and the clocks are all synced to the correct time.

  19. Profile photo of LarryAlthouseLarryAlthouse

    Excellent MP! This has solved a long-standing request for us by our web team. Everyone is extremely happy with what we have seen so far in this pack.

    I do have one question, though. Was there any specific reason for having the default certificate and CRL discoveries hard coded to run once every 3456 seconds, but not be able to override it? We tend to set most discoveries to around once a day or more as we have a fairly large environment, but these discoveries don’t give that option. The discovery for the personal certificate STORE allows us to override it (although it’s value of 86310 is just fine where it is), but the cert and CLR discoveries do not. I know that we can technically just create new ‘mirrored’ discoveries in the override pack to set different times, but I was wondering if there was some other logic in using these particular times or if you had any plans of updating the pack to allow for these overrides.

    Thanks!

    Larry

  20. Profile photo of Raphael BurriRaphael Burri Post author

    @ Ruben: Unfortunately that would require a totally different MP and unfortunately I don’t think that I will find the time to write one for *ix platform soon. Besides my knowledge about certificate use on there is very limited.

    @ Mutino: If you can send me the output of the certutil.exe command for the store in question I’ll check what is going on:

    certutil.exe -v -verifystore [store key name]

    And please let me know what locale settings you have on that server. My email: raburri [at] bluewin [dot] ch

    @ Larry: Very good question. In this MP, all monitors and discoveries for certificates and CRLs use the same probe action: CertUtil output probe (VBScript). By means of cookdown all these are fed upon a single run of the script. If the frequency was overridable you’d have to make sure that you changed it to the same value for all three discoveries and four monitors. So I left the override out beacuse I feared that people would inadvertedly break cookdown. That was the idea anyhow – it turned out that the discoveries and monitors run on two different intervals (one for all discoveries and one for all monitors). If you send me your email address, we can have an offline talk about how to improve this for the next update.

  21. Profile photo of kobilekobile

    Hi Raphael,

    we are trying to understand why the view “Certificate stores availability” include “not monitored” personal computer certificate store.

    After some tests we realized that we have 2 different scenarios:

    1. Servers with no certificates in computer personal store. (Event 3001 is logged in OpsMgr event log)

    2. Servers with self-signed certificates.

    Is this behavior is by design?

    The MP solved us a lot of trouble in monitoring the expiration of certificates.

    Thanks you.

  22. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Kobile

    Your observation is absolutely correct. The MP will discover certificate stores – but only if the next step also discovers certificates (or CRLs) in them will you see those stores in anything other that ‘Not Monitored’ state. The reason for this is that the only monitors targeted at certificate stores are roll up ones. They don’t initialize unless child objects (certificates) are present.

    By coincidence: The next update to the MP (which I’ll release hopefully in the next few days) will explain exactly that situation in the release notes.

  23. Profile photo of Raphael BurriRaphael Burri Post author

    Sorry for the late reply ; I’ve been on vacation. Just checked the download and it seems to be working all right.

    Download is only working for registered users (registration is free).

    On my IE8 I also needed to scroll back up to accept the terms of use after clicking on ‘Download’ before the file transfer was starting. A bit confusing…

  24. Profile photo of PaulyPauly

    I have installed the MP and set up overrides for the Personal Computer Certificate Store & CRL Roll Up for the Object Discovery with a class of Windows Computer. I followed the MP guide however the monitors in Health explorer do not have the green tick indicating that they are monitored but the monitor’s properties indicate that it is enabled. Have I missed a step?

  25. Profile photo of KevinKevin

    Hi Raphael. I make good use of your MP but have now hit a bit of a brickwall. It’s all good-and-well being able to override the ‘CertificateAboutToExpire’ monitor to change the thresholds, but if I’m wanting to create alerts based on different times I cannot extend the MP because your modules are set to internal.

    I am needing to setup an initial alert at 14 days, then another at 3 days (before expiry). Would it be possible to do a minor update to set these monitor types to public so I am able to use this in proper cookdown style rather than exporting it as unsealed and hacking it?

    Thanks in advance,

    Kevin

  26. Profile photo of Sven WellsSven Wells

    I just upgraded this MP from v1.0.0.274 to v1.0.0.288. As soon as the upgrade was complete, we started getting an alert storm with the following alert:

    Alert Description:

    The Microsoft Operations Manager Scheduler Data Source Module failed to initialize because the specified schedule interval number is out of range. Interval: 0 Minimum Unit Number: 1 Maximum Unit Number: 2419200 One or more workflows were affected by this. Workflow name: SystemCenterCentral.Utilities.Certificates.CertificateValidity.Monitor Instance name: Certificate *.ppdi.com Instance ID: {FBC7444F-8A52-0BE9-8375-F0E81D4F090C} Management group: US-MGMTGRP

    Any ideas on how to stop this and why it is occurring?

    thanks,

    Sven

  27. Profile photo of Sven WellsSven Wells

    Hello, I managed to resolve the last issue I commented on. Had to delete the existing PKI Certificate Validation MP and then import the new one (1.0.0.288).

    In doing so, we found that now the PKI Certificate Validation reports have vanished and that option is no longer available to us in the SCOM Console. We’ve tried deleting the MP waiting a few minutes and re-importing the MP, but that does not seem to work.

    How can we get the PKI Certificate Validation reports back?

    Thanks,

    Sven

  28. Profile photo of hauihaui

    Hi,

    we are using this very good MP beginning in 2010 and like the work you’ve done.

    we have a really complex envrionment in place with thousands of servers and many thousands of certificates. There are situations where the MP is not working as expected, or attributes of the certificate are not extracted as needed.

    So we have 3 suggestions regarding this MP and would like to know if there’s time to discuss this or to implement this things in a future version of the MP?

    Please let me know,

    Markus

  29. Profile photo of ChrisChris

    Hi, thanks for sharing this MP it is already proving useful however I am wondering if it is possible to use this MP to identify/ report on certs that have been Manually issued?

    Thanks

    Chris

  30. Profile photo of Sven WellsSven Wells

    We have just upgraded from v1.0.0.288 to v1.0.1.15. In order to test this MP we imported some expired certificates to the Personal stores of a couple of SCOM managed serers. We recyled the SCOM agents on those servers, but still no Alerts. I checked the "Certificates – Invalid" View on the console and the invalid/expired certificates show up in this View, however, that view is showing up as Healthy.

    Regards,
    Sven

  31. Profile photo of lardo5150lardo5150

    I have this setup and seems to be monitoring. I am seeing the alerts that I need to see. To test the alerting though, for example, I have a "certification webmail" on serverA. I created a test group, assigned the cert and servera to this group. I then went to the certificate lifespan monitor, overode it for that group. Since that cert does not expire till 2/18/2013, I set the days to expire to 700. I wanted this to generate a warning to prove that the alerting was working. It never did. WHen I go to the health console, I do recalculate health, it still says it is good even though it is under the 700 days. I even went as far as to overide the monitor for the actual "certification webmail" object and assign it 700 days. Same thing. Is there a waiting period of 24 hours like it says in the manual still even though I did recalculate health? Am I missing something? When I go to the view of Certificates Valid, I can see the cert, and it is still valid. This cert is stored on servera under the Personal Store (personal store is enabled). Does it calculate the days some weird way? (valid from 2/8/2011 till 2/8/2013). Again, I am setting it up so that once it passes 700 days, I would get a warning (this is just to test the alerting).

    Am I missing something?

    **EDIT** I just saw the release notes and known issues, BUT, I did change the discoveries for personal to every 5 minutes for my test group that contians the cert and server, just so I can get a test. If this does take a few hours to take effect, I will report back tomorow whether anything has changed.

  32. Profile photo of AlagurajAlaguraj

    Hey, I just installed this MP and see the alerts on console. Also, I would like to have a new discovery with this MP to monitor "Operations Manager" certificate store. Please guide me to achieve it…

  33. Profile photo of AmedeoAmedeo

    Hello guys, I have seen that the MP, under Win2003 server, supports WinNT server stores monitoring with a work around…
    Might I ask what is the Win NT service stores?

    Cheers!

  34. Profile photo of Raphael BurriRaphael Burri Post author

    That would be a certificate store specific to a Windows service. An example could be the "Print Spooler" service. Anyone you see when opening services.msc.
    Very few applications actually require using this specific kind of certificate store so check with your vendor or application owner before you implement service store specific monitoring.
    Cheers
    Raphael

  35. Profile photo of sailorimcsailorimc

    Hi,
    We have a CA which is issuing certificates for our clients. The CA is online and connected to the network.
    Is there any way to use this MP to monitor certificates issued by the CA? This means, to see if the certificates are about to expire/valid and so on.
    Thanks,
    Izogen

  36. Profile photo of JHBoricuaJHBoricua

    I have imported the version 1.0.1.15 of this MP. Personal certificate store discovery went fine. I now want to discover the Intermediate cert store for only one server, our internal PKI issuing CA. So I created a SCOM server group, added the Windows Computer entity for our issuing CA server and then created an override for the Intermediate Cert store discovery to enable discovery targeting the custom server group I created.

    However, it’s been 2 days and the Intermediate cert store has still not been discovered, as far as I can tell (It doesn’t show in the Certificate Stores Availability view). I need this so I the CRLs for our internal PKI can be monitored. Is there something I’m missing?

  37. Profile photo of Michael NMichael N

    Hello JHBoricua, I am also trying to monitor an internal PKI, but I have not yet found a way to do this.

    1. It could be that your Intermediate Cert Store has been discovered, but is not showing in the "Certificate Stores Availability" view. This view only shows stores that are in a state Critical, Warning or Healthy, so it does not show stores that are in the state "Not monitored", (maybe because there is nothing to monitor?)

    2. This pack discovers the "Registry" physical stores, but Enterprise PKI certificates are found in the "Enterprise" physical store, (at least this is true on my workstation). You can check this by enabling Show Physical Certificate Stores in the certificates MMC snap-in.

    I have found a folder in the registry that appears to correspond to the Enterprise store: HKLM\SOFTWARE\Microsoft\EnterpriseCertificates (as opposed to SystemCertificates)
    It looks like this Management Pack will need new discovery rules to find certificates in the Enterprise certificate stores.

  38. Profile photo of JHBoricuaJHBoricua

    Hi Michael,

    You are right, it is being discovered but its not showing in the ‘Certificate Stores Availability’ view because of being in a ‘Not Monitored’ state. Not sure why that is since it does contain certs and CRLs of our internal PKI, but it may be related to your point #2.

    The odd thing is that, this WAS working on the previous version of this MP, meaning it was monitoring the Intermediate Store objects on this server and populating the CRLs views. So something must have changed in the discovery process of the updated MP.

    The CRLs piece is very important to us from a monitoring standpoint.

  39. Profile photo of MikeMike

    Hello,
    I am trying to find a way to disable certificate disovery for specific Certificates.
    Basically We have Certificate computername.domain.com and will be renewed frequently. I would like to stop discovery for them. Since we have plenty of servers, I don’t see Group, Certificate name option would be appropriate. I see one possible way is to Override through Issued By option but I am not sure how to implement that. Can some one Please help on this or tell me if there is any other way to achieve it ? Thanks a lot !

  40. Profile photo of SBSB

    Hi
    We have an environment with several 2003 and 2008 servers. Running OpsMgr 2007 R2. We have implemented the Management Pack and followed the guide, but we have run into an issue that we cannot seem to solve. The Certificate discovery is not run (Configuration – certificate store roll up is not monitored) on some servers, but not all and it is not a clear pattern to which servers the certificates are discovered on and not (both 2003 and 2008). We have the same issue in our QA environment as well but not on the same servers as in our Production environment. Do you have any idea why this happens, troubleshooing ideas, known issues? Thanks a lot!

  41. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Ben
    I just checked and the download seems to work for me. You need to be logged on to the site and then you should be able to click the "Download" button. The file name is "PKI_Certificate_MP_V1.0.1.20.zip".
    Raphael

  42. Profile photo of iditb

    Hi ,
    can i monitor only the root ca server certificates and not the personal certificates?

    Thanks

  43. Profile photo of jasonbreeze

    Would like to see the ability to discover service account certificate stores and certificates. They are here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services

  44. Profile photo of MaekeeMaekee

    Hi, i am having problems discovering my CRL’s. The Certificates are discovered just fine, the Discover Certificate Revocation Lists (locally) Object Discovery is enabled. Whats next?

  45. Profile photo of Siva DarsiSiva Darsi

    Hi, i imported the pack and i’m able to see the alerts in SCOM console. I tried setting up a subscription for the all the monitors & rules related to PKI, but i didn’t received any alerts to my inbox. Is there any thing i’m missing from this pack? i have uploaded both the .mp and .xml files.

    Thanks,

  46. Profile photo of Siva DarsiSiva Darsi

    Hi, I downloaded this MP & tested in my LAB, its working fine ( i was asked to monitor only the personal store for now). Thanks a lot.

    Thanks,
    Siva

  47. Profile photo of Ghayth AL Mahadin

    it did not discover exchnage 2007 certificate(OWA) and digram view for CAS server shows the certificate not monitored

  48. Profile photo of Siva DarsiSiva Darsi

    Hi, I enabled the Trusted root cert. store monitoring. Is there any way that we can monitor specific set of cert vendors (asume 3) for all windows computers? When i enabled this i got lot of alerts and most of them are like below,

    Alert: Certificate lifespan alert
    Source: Root Certificate EMPTY (no subject)
    Path: server name.domain.com;Root
    Last modified by: System
    Last modified time: 6/28/2012 10:14:16 PM Alert description: The certificate has expired on 12/31/1999 12:59 AM.
    Certificate Name: EMPTY (no subject)
    Serial number: 01
    Certificate store: Trusted Root Certification Authorities

    any help on this?

    Thanks,
    Siva

  49. Profile photo of dsou777dsou777

    Hi, I would to target the PKI discovery only to certain servers. How would I do that using this MP in SCOM 2007 R2?

    thanks

  50. Profile photo of ASIF SHAFIASIF SHAFI

    The MP and the QuickStart override installed fine, but I do not see any reports. I checked the package but there are no other MP’s for reporting. I am not looking in the right place. Thanks in advance.

  51. Profile photo of RobvHRobvH

    Great help, however got an issue with the reports
    Both the CRL Inventory report and the Certificate Inventory Report show no results (expiring/expired do show results if appropriate)
    Any suggestions (as in monitoring the information does show)

  52. Profile photo of SteveGSteveG

    Where can I go for troubleshooting help? I can only see ONE cert in the personal store for each server, not all, and no CRL’s, no enterprise CA certs, nothing else at all. I have reinstalled the MP. I upgraded to SCOM SP1 Beta, no change.

  53. Profile photo of bunyasbunyas

    Since it does not appear that Raphael is around any longer, has anyone been able to “reverse engineer” the  CRL issue between previous version(s) of the MP and the current version?

  54. Profile photo of Csaba DarazsCsaba Darazs

    Hi guys,

    I have overwrited the certificates 21 days certificate experity and that’s working fine.
    But how can I update the Certificates About to expire state view?

    Looks like locked the all folder.

    Thanks
    Csaba

  55. Profile photo of HarashukuGrl

    The MP is sealed, so you’ll need to create your custom views in a separate folder

  56. Profile photo of Pete ZergerPete Zerger

    Afraid I don’t have time for any updates to the MP and Raphael is semi-retired from this sort of thing for all practical purposes.

    If the CRL needs are important enough, I’m happy to offer direction to any helpful community member who wants to contribute.

  57. Profile photo of TaurunumTaurunum

    Hello, just to confirm – the pki certificate verification MP can provide the audit report on soon to be expired certificates issued by the internal MS PKI CA authority (AD integrated), correct?

    Much obliged,

    Boris

     

  58. Profile photo of AndreAndre

    Hello Raphael,
    Recently we added this MP and it has been a grate help and has found and warned us about multiple Certificates that where about to expire.
    Currently we have two Certificates that are reporting the same problem on the one server. Are Windows team is saying that there is no problem. Certificates are not my strong point so I am not sure how to trouble shoot this error. Any help or direction would be greatly appreciated.
    Alert –
    Certificate is invalid
    Source: Certificate xxxx.com
    Full Path Name: xxxx.COM\Personal Computer Certificate Store\Certificate xxxx.com
    Alert Monitor: Certificate validity
    Created: 3/28/2013 11:59:39 AM
    Alert Description
    The certificate is not valid. Reason: Incomplete certificate chain
    Certificate Name: xxxx.com
    Serial number: xxxx
    Certificate Store: Personal

     

    Thank you for your assistance.

  59. Profile photo of endre

    Is there any plans to implement suppert for Windows Server 2012 in this management pack?
    Or does anyone have a workaround for me to get it to work?

    I have implemented the management pack, and it works perfectly on 2003, 2008 and 2008R2, but it doesnt discover anything on our Windows 2012 servers.. 🙁

  60. Profile photo of endre

    If anyone else is wondering how to monitor certificates on Windows Server 2012/Windows 8 you can read more here on how to do it with EventLog.

  61. Profile photo of jojo

    Hi everyone!

    I’ve been using this MP with Operations Manager 2012 SP1 without any problems.
    Right now I’m testing it with 2012 R2 and no luck:)
    I have followed the override section in the doc and I have tried “all” that is possible…

    Anyone that have tried this with a good result?

    Thank you in advance

  62. Profile photo of Danny G.Danny G.

    We installed version 1.0.1.20 into our SCOM 2007 R2 environment and are getting alerts for non-root certificates in the personal computer stores that we thought should have been considered superseded.  For example, we have 3 certificates issued to http://www.xxx.yyy in one key store with one of the certificates having expired, one of the certificates about to expire and one of the certificates not expiring for another 2 years.  I see each of these three certificates in the corresponding views (Certificates – Expired, Certificates – About to Expire, and Certificates – Valid).  Is there a way to override the discovery so that only the current one is discovered?

    Thanks!

  63. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Danny
    The MP will not be able to distinguish between those certificates. It will only allow you to filter on “Subject” and “Issuer”.
    However; if you set the archived flag on your replaced certificates, they will no longer get discovered. You will need to check the target application’s compatibility with archived certificates beforehand, though.
    This applies to both, the 2012 and the 2007 MP.
    Raphael

  64. Profile photo of vsantosvsantos

    hello, installed this MP in my environment, but it can not view the certificates that tomcat is running under windows 2008, any suggestions?

  65. Profile photo of Raphael BurriRaphael Burri Post author

    Hi vsantos
    The MP will only monitor certificates in Windows OS own certificate stores. For your Tomcat installation you are most likely using a .jks file which is independant of the OS stores. Currently your only option would be to add the certificate to the personal computer store (MMC > Certificates snap-in) of your server. Tomcat will continue to use its file based store but the MP will discover the copy of the certificate and its properties from the Windows store.

  66. Profile photo of CypherBitCypherBit

    Thank you for this MP it’s great, but I do have one issue which I’m unable to resolve on my own…if you can perhaps help me out.

    We’re using IPSec NAP and have two standalone CA’s that issue Health certificates, would it be possible to exclude alerting either all Health Certificates or if easier certificates from these two CA’s.

    I went through the .pdf multiple times (on page 18), but I just don’t have the know-how to make it work.

    Assistance would be greatly appreciated.

  67. Profile photo of JimJim

    How do you uninstall this MP? It appears that there are components in the Default MP that I cannot find.

  68. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Jim

    Removing any sealed MP will fail of there are references to it in another MP. Often those will be overrides. Unfortunately SCOM does not clean up those references even after the actual override has been deleted. Currently your only option is to export the unsealed MP that locks the removal and open it in an editor. Then check the <References> section on the first lines. Carefully delete the lines referring to the PKI Certificate Management Pack and check if there are still overrides referring to it (search for the “Alias” followed by an “!”. If so, remove those as well. Then safe the file and re-import it.

    Good luck

    Raphael

  69. Profile photo of Jas TatlaJas Tatla

    Hi – I am trying to import the unsealed version as I want to disable all the default discoveries for this management pack but it fails with the below message:

    PKI Certificate Validation V2 could not be imported.

    If any management packs in the Import list are dependent on this management pack, the installation of the dependent management packs will fail.

    Cannot find resource with ID Res.TwoGroupCustomConfigurationReportDataGet_Install, Res.TwoGroupCustomConfigurationReportDataGet_Uninstall, Res.TwoGroupCustomConfigurationReportDataGet_Upgrade, Res.CustomConfigurationReport, Res.CustomGroupConfigurationReport, Res.CustomTwoGroupConfigurationReport, SCC_banner_landscape.jpg, SCC_banner_portrait.jpg, SystemCenterCentral.Utilities.Certificates.CertCRLGroup.Image16, SystemCenterCentral.Utilities.Certificates.CertCRLGroup.Image80, SystemCenterCentral.Utilities.Certificates.Components.Image16, SystemCenterCentral.Utilities.Certificates.Components.Image80, SystemCenterCentral.Utilities.Certificates.SoonToExpireCertGroup.Image16, SystemCenterCentral.Utilities.Certificates.SoonToExpireCertGroup.Image80, SystemCenterCentral.Utilities.Certificates.InvalidCertGroup.Image16, SystemCenterCentral.Utilities.Certificates.InvalidCertGroup.Image80, SystemCenterCentral.Utilities.Certificates.ValidCertGroup.Image16, SystemCenterCentral.Utilities.Certificates.ValidCertGroup.Image80, SystemCenterCentral.Utilities.Certificates.Certificate.Image16, SystemCenterCentral.Utilities.Certificates.Certificate.Image80, SystemCenterCentral.Utilities.Certificates.CRL.Image16, SystemCenterCentral.Utilities.Certificates.CRL.Image80, SystemCenterCentral.Utilities.Certificates.CertStore.Image16, SystemCenterCentral.Utilities.Certificates.CertStore.Image80, SystemCenterCentral.Utilities.Certificates.CurrentCRLGroup.Image16, SystemCenterCentral.Utilities.Certificates.CurrentCRLGroup.Image80, SystemCenterCentral.Utilities.Certificates.NotUpdatedCRLGroup.Image16, SystemCenterCentral.Utilities.Certificates.NotUpdatedCRLGroup.Image80, SystemCenterCentral.Utilities.Certificates.RootCertificate.Image16, SystemCenterCentral.Utilities.Certificates.RootCertificate.Image80.

    any ideas as to what could be causing the issue?

  70. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Jas

    The reason for this is that the MP is in 2.0 schema (SCOM 2012). You can see this on the first line of the MP’s XML. If a 2.0 pack contains resources like icons, report scripts or other binaries, it is sealed into a bundle file (.mpb) instead of .mp.

    Unfortunately this makes unsealing and resealing a difficult task that requires using Visual Studio Authoring Extensions. The actual resource files you can easily get when unbundling the .mpb file. Then you’d have to start a new VSAE project that links the files as “EmbeddedResource” and seal it to an mpb file. Some hints on how to achieve this post by Tao Yang: “Adding Images to OpsMgr 2012 Management Packs in VSAE”.

    Raphael

  71. Profile photo of Jas TatlaJas Tatla

    Hi Raphael – I am currently administer a multi-tenant scom solution and I am trying to implement the MP for one of our customers (hence the previous post of unbundling the MP). I have disabled following discoveries:

    SystemCenterCentral.Utilities.Certificates.LocalScriptProbe.CRL.Discovery

    SystemCenterCentral.Utilities.Certificates.LocalScriptProbe.NonRootCertificate.Discovery

    i also removed the following override

    SystemCenterCentral.Utilities.Certificates.RootCertificateStoreGroup.Discovery.QuickStartOverride

    I then imported the MP and created overrides and targeted a custom group for the above discoveries but nothing is being populated in the  Certificate store availability view.

    any idea or suggestions on what i need to do to get this working?

    thanks in advance

     

  72. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Jas
    Have you enabled the root discovery at all? In the 1st step the certificate store (normally the personal computer store “My”) needs to be discovered. That discovery is disabled by default.
    Only after a store has been discovered, the certificate and CRL discoveries will kick in (the ones that are active by default).
    Such the MP wouldn’t do anything after having been imported even without your modification.
    Have a look at the included Quick Start Override MP – that simply enables the discovery of the local computer store My.
    Cheers
    Raphael

  73. Profile photo of Jas TatlaJas Tatla

    Hi Raphael – thanks for all your help. i have managed to deploy the MP to a specific group using your suggestions. i issue i have come across howver is the MP has discovered some of the legacy Windows certs in the root store (i have tried to attach a picture but currently not working).

    from reading the documentation i thought the MP was supposed to di-regard these types of certs?

    any ideas would be appreciated.

    thanks

  74. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Jas
    Just drop me a quick email with the details on the certificates that shouldn’t be monitored. Actually the MP will discover them but disable monitoring via an override (they should become members of a group called “Certificates and CRLs required by Windows Group”). You’ll find the email address at the end of the MP guide.
    Cheers
    Raphael

  75. Profile photo of MartijnMartijn

    Hi Raphael,

    What should we do if the certificate is not valid due to an unknown error in the partial chain.

    According to SSLbox from Symantec the certificate chain is valid but older browsers may not support it.

    Their exact recommendation:
    Update your certificate chain.

    Your certificate chain is valid, but some older browsers may not recognize it. To support older browsers, download and install the missing intermediate certificate.

    What if we don’t want to support older browsers any more and we don’t want to use such intermediates? And want to keep the monitor working as intended?

    Update: So the Unknown Error alert basically means: Missing intermediate certificate to support older browsers (using SHA1 algorithm, which should no longer be used asap).

  76. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Martijn
    Unfortunately I do not completely understand what your requirement around those certificates is. However; you could:
    – completely disable the monitors for those certificates, either with an override to the actual certificate instance or to a group of certificates.
    – keep those certificates from being discovered via the exclude filters on the certificate store discovery
    – it might also be possible to alter the advanced verification settings as described in chapter “Changing certificate validation properties” in the MP guide. E.g. setting the RevocationFlag to EndCertificateOnly (which should lead to ignoring an invalid chain). Possibly one of the VerificationFlags settings could also help. This depends on the nature of the certificate in question.
    Please feel free to drop me an email if you need more guidance (see the guide of the address).
    Raphael

  77. Profile photo of PetePete

    Hi Raphael,

    We’ve been using the PKI MP in 2012 R2 for a short while now, and everything has been fine. Just recently however, we’ve started seeing a lot of certificate alerts with missing information in the alert:

    Alert Description
    Source: Cert
    Alert Monitor: View or edit the settings of this monitor
    Created: 9/25/2014 8:38:42 PM
    The certificate {0}.
    Certificate Subject: {1}
    Serial number: {2}
    Store Name: {3}

    Store Key: {4}
    Store Provider: {5}
    Store Type: {6}

    Just wondering if you’ve seen this behavior before, and whether you had any ideas on how to resolve?

    Thanks.

  78. Profile photo of Raphael BurriRaphael Burri Post author

    EDIT: It turns out that this issue may be caused by certificates that do not have a “Subject” property but are using Subject Alternative Names (SAN). If so, make sure you run the latest version of the MP as this issue was fixed in the upgrade to 1.2.1.3.
    Raphael

    Hi Pete
    Is this a “certificate about to expire” monitor alert? If so; please check if the values on the monitor context and the certificate’s properties were present at the time the alert was triggered. Please see the health explorer context for “context” data (e.g. the property bag the underlying ProbeAction returned to the monitor) and the state view for instance property values.
    {0}: CertLifeTimeMessage –> Context (check health explorer)
    {1}: Certificate: Subject –> Property of certificate
    {2}: Certificate: Serial Number –> Property of certificate
    {3}: Store: Store Name –> Property of hosting certificate store
    {4}: Store: Id –> Property of hosting certificate store
    {5}: Store: Provider –> Property of hosting certificate store
    {6}: Store: Type –> Property of hosting certificate store

    The monitor should normally replace those with the appropriate string values. I’ve seen this once only when I had agents respectively management servers that were out-of-sync with the management group configuration after upgrade tests from the 1.x MP to the current release. After restarting (and flushing the health service cache) the issue vanished. I suggest you contact me via email (see the end of the MP guide) to investigate this issue further.
    Cheers
    Raphael

  79. Profile photo of TomasHrTomasHr

    Hello Raphael, we probably found some bug at MP (latest version).
    We have large enviroment, monitoring for most certificates works great (more than 1000 certs).
    But on small group of certificates we have crazy issue – MP generates error Certificate lifespan alert, but error is false, directly on error msg you can see for example “The certificate expires in 955 days on 05/14/2017 14:43:23 UTC”. On another line we see “CertTimeStatus NotTimeValid: Unknown error ” – this is probably case of issue, MP script receive some error and create false error. Problems is based on certificate, not on server, for example we have server with 10 certificates, false error is generated only by 3 of them. I try debug mode and receive event 119 “Certificate_Verify_Script_V4.ps1 : Unable to load and extend System.Security.Cryptography.X509Certificates namespace with X509CRL2. Retrying on the next script run.”, but as I wrote before, most certificates on this server are monitored without any problem.
    Have you any idea, how to fix this issue?

    Thank you very much
    Tomas Hruby

  80. Profile photo of KrisKris

    I have installed the MP and have it set to monitor just the personal stores on all our servers and that is working well. The problem I am having is that I have been requested to set up an additional monitor to send an alert out as critical when a cert reaches 7 days to expiration. I have been looking at a way to create this but have found no good way to do it. So we basically want a warning at 21 days and a critical alert at 7 days.

    Thanks

  81. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Arthur
    Adding a task to delete (or archive) certificates is a great idea. The reason such a task is not yet in the MP is not really a technical one but:
    – getting a confirmation before running the task is not possible (does the user really want to remove the certificate
    – auditing would become near impossible if agents are running as LocalSystem. Knowing who deleted a certificate would be impossible.
    – a SCOM operator could potentially delete many certificates by selecting them all on the console and then running the task
    For those reasons I usually do not include tasks that modify agent system configurations in public MPs. However; I might consider including such a task in a future release. Maybe as part of a “use with caution” add-on MP?
    Cheers
    Raphael

  82. Profile photo of Arthur SilvanyArthur Silvany

    Raphael,

    Thanks for pointing the risk, but I have created the task through the certutil command, because we have over 300 expired certifcate to delete. The task works properly, however when I delete a expired certificate, the critical object state still remains in  the expired certificate and the dashboard view.  When a reset it, it does not disappear in the views and it change the state to healthy. How can I remove this deleted object in the views you created?

    cheers,

    arthur

  83. Profile photo of gdgd

    Hi Arthur

    I’d be careful about deleting expired certificates automatically. As mentioned here:

    http://blogs.technet.com/b/heyscriptingguy/archive/2013/03/05/use-powershell-to-find-certificates-that-are-about-to-expire.aspx

    “Windows ships with expired certificates because certain executables that have been signed with a certificate, but have not been resigned with a new certificate, need the old certificate to ensure the validity of the certificate.”

    It is a great MP but I find at an enterprise level this is generally better achieved using SCCM (if you have it at your disposal). I try and emphasis SCCM for configuration \ state information and validation and SCOM for real-time performance and availability monitoring. One reservation is over the discovery of each certificate which can add a significant number of objects to SCOM, especially if this approach is then extended to other configuration data.

    Thanks for the pack and the great work you do.

    Graham

  84. Profile photo of Raphael BurriRaphael Burri Post author

    Thanks to Graham for pointing out that deleting certificates is not always recommended or may even be fatal. Many of the expired certificates in the Trusted Root, Intermediate and Third-Party stores are indeed required by Windows to operate properly (and there’s a warning in the MP guide about that).
    The MPs main focus is on keeping an eye on the certificates imported into the “Computer’s Personal” store (My) and please make use of the filtering possibilities to assure you only discover and monitor the certificates required.
    The next MP update I am working on will also allow to filter on “Template” for certificates that were issued by a Windows Enterprise CA. Such you may exclude autoenrolled certificates for example.
    Raphael

  85. Profile photo of CasperCasper

    Hi Raphael

    Thanks a lot for your MP. It’s been a great help to us.

    However we now have 2 certificates that it claims are invalid and I can’t figure out why.

    The first one is an internal certificate used in another domain and it says “PartialChain: A certificate chain could not be built to a trusted root authority.”. However if I log on to the server and open up the certificate the entire chain shows as valid. So why does the MP think it is invalid? What are the exact checks it uses?

    The second is a public certificate from GoDaddy and it says “Revoked: Unknown error”. However I just checked with GoDaddy and the certificate is not revoked, but it uses the Sha1 algorithm and they recommend Sha2. Why does your MP say it is invalid? What are the exact checks it uses?

    Thanks a lot for your help! 🙂

  86. Profile photo of ehrnstehrnst

    Hello,

    Thank you for this management pack. We have been using it for a couple of months now, and it was a relief to discover all our customers certificates. Today, a colleague of mine received an alert for a certificate and looked in the certificate expired view. Her the cert. is in critical state, and expiry date is “Valid to (UTC) 07/01/2015 12:00:00” The problem is that in Norway the date for July 1. is written  01/07/2015. Any ideas on how to fix this?

  87. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Ernst
    This is unexpected as the MP should absolutely be capable of handling European date formats (especially as I am from Switzerland)! Please get in touch with so we can look into this. You’ll find my contacts detail at the end of the MP guide.
    Raphael

  88. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Casper
    It is difficult to pinpoint the issue you’re seeing with the GoDaddy chain from your short comment. However; I suspect the following: The SCOM agent is (normally) running in the system context (NTAuthority\System) unless you’ve configured a different default action account. When you’re checking on the certificates interactively, you’re doing so using your own windows account.
    I’ve witnessed situations, where a certificate chain update would not fully apply for SYSTEM (presumably due to restricted internet access), while it was automatically rerolled for interactive accounts. In order to check what exactly is going on, you’d have to start investigating using the system account (e.g. using SysInternal’s PSExec tool).
    Please feel free to drop me an email should you require additional support on this. You’ll find the address at the end of the MP guide.
    Raphael

  89. Profile photo of chris Morganchris Morgan

    Hey Raphael,

    Thanks for the awesome MP … Everything works except CRL discovery . Used your example MP for default set of overrides… Do you have any quick suggestions of what could be configured incorrectly >? Again .. thanks for all that you do in the community …

     

  90. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Chris
    CRL discovery should run automatically once a certificate store containing a CRL has been discovered. However; the default timing is rather conservative. Hence it might take up to 12 hours until the 1st discovery cycle completes.
    Which certificate store have you stored your CRLs in? And can you see those stores in the view “Certificate Stores Availability”?
    If you used the “Quick Start” Override MP, all that will be discovered are the “Personal” certificate stores of your agents. So far I haven’t seen sites where CRLs were kept there. Rather they reside in one of the other stores (root, intermediate etc.). Those are not discovered by the “Quick Start” override MP.
    Raphael

  91. Profile photo of chris Morganchris Morgan

    Thanks Raphael,

    That worked perfectly .. I now see CRLs and CRLs-not updated entries . Would it be possible to configure notification for CRL expiration as well as CERT expiration ? We have an offline root CA whose CRL expiration is much less than the expiration of the Cert . I  was told that an alert needs to be generated before the CRL expires … as well as the Cert ..  so that the OFFLINE CA can be brought online and re-validated ..

    Raymond

  92. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Raymond
    I am going to add an override to the CRL monitor in the next release of the MP. This will allow you to define how many days in advance you would get alerted for not-updated CRLs.
    That update will not be ready immediately as I am also incorporating other extensions and will have to find the time to run all the necessary tests.
    Raphael

  93. Profile photo of ScottScott

    This is a *GREAT* MP, already critically useful, but I have one question – in the ‘Certificates -‘ views (expired, valid, invalid, about to expire) the columns for ‘Valid from (UTC)’ and ‘Valid to (UTC)’ sort as text rather than as dates, is there any way to get these views to sort by date (newest to oldest and/or vice-versa)?

    Scott

     

  94. Profile photo of Arthur SilvanyArthur Silvany

    Raphael,

    I have a PKI infrastructure in my company and a crl file that is imported in the intermediate CA. This file has a expiration date and I would like to monitor when this date will expire soon. Do you have any ideia how I can monitor this? Your mp has this monitor/rule?

    about the last question, I have created the task c:\windows\system32\certutil.exe with -delstore My $Target/Property[Type=”Certificate!SystemCenterCentral.Utilities.Certificates.Certificate”]/CertThumbprint$ parameter. it works properly!!! After running the Remove-SCOMDisabledClassInstance powershell command, the expired certificate state in the dashboard is removed

    cheers,

    arthur

  95. Profile photo of ChristianChristian

    Dear Raphael,

    I’ve installed this MP which is quite useful, I would only have one remaining question with it: If I decide to “do not care” about some of the expired certs, I simply close the alert, but this way the computer object itself will be in critial state because of the aggregation. If I manually reset the state of that certificate sub-object under the computer object, it is okay and turns to green, but after some time the management pack re-discovers that expired cert. Is there any way to “acknowledge” some of the expired certificates? And don’t care about them?

     

    Thank you for the help!

     

    Best Regards,

    Christian

  96. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Christian
    I’ve got an update nearly ready, that – among other improvements – will feature a task to mark certificates such that they are no longer monitored. It is accomplished by appending a string to the “Friendly Name” of a certificate. Those certificates will then become members of a group. An override targeted at this group will disable the monitors for those instances.
    Please get in touch with me via email (see the end of the MP guide). I can then give you access to a preview version of that update.
    Alternatively you can easily implement such a dynamic group and overrides yourself.
    Regards
    Raphael

  97. Profile photo of k.schneider42k.schneider42

    If a override is used to selectively enable monitoring of servers, I find if the override is deleted the server still appears in the “Certificate Store Availability”.  Any way to remove it?

    Great Pack and thanks for all your efforts!

  98. Profile photo of VarunVarun

    Hi,

    This mp works perfect and appreciate your efforts!

    I’ve one requirement where want to capture Issued By in the alert monitor which is not shown by default until you open alert more information.

    How can that be added in alert description?

    Any help is appreciated.

  99. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Varun
    1.3.0.0 will bring an updated, much more verbose alert description.
    As I was just about to get this release ready, I have quickly added the “Issuer” property value to the alert’s description. Lucky I had an unused parameter left… An alert will look like the attached picture in the future. I hope this serves your needs.
    Please stay tuned for the upcoming release of the update (or drop me an email so I can send a preview version to you).
    Raphael

    1.3_Alert_Description_Sample

    P.S.: This sample alert shows a highly specific issue, where the certificate itself is valid, but its chain in the context of the monitoring user (SYSTEM) is not.

  100. Profile photo of Raphael BurriRaphael Burri Post author

    In reply to k.schneider42:

    As you noticed, simply removing an “enable” override will not remove any already discovered items from SCOM’s repository. The discovery will no longer be executed but the objects will remain in the repository and monitoring for them will continue. This is by design and the proper way to address this is to make use of the “Remove-SCOMDisabledClassInstance” commandlet.

    It is important to understand that the command will remove objects (class instances) for which a “Disable” override exists. It will never remove any objects in case a discovery was disabled in the original MP code.

    For the certificate MP (where all store discoveries are disabled by default) this basically means that you will have to:

    1) Change the “Enable” Override into a “Disable” Override on the cert store discovery

    2) Run “Remove-SCOMDisabledClassInstance” after the MG has synchronized

    3) Remove the “Disable” overrides.

    Cheers

    Raphael

  101. Profile photo of k.schneider42k.schneider42

    Thanks for taking the time to respond.  I realize that my question was probably more of the proper way to use SCOM.  I appreciate the answer and your efforts with this management pack.

  102. Profile photo of Nicholas BostwickNicholas Bostwick

    Please modify the certificate class properties as such

    <Property ID=”CertValidFrom” MinLength=”0″ CaseSensitive=”false” Key=”false” Type=”datetime”/>

    <Property ID=”CertValidTo” MinLength=”0″ CaseSensitive=”false” Key=”false” Type=”datetime”/>

     

    you will also want to modify the output in the ps1 file on lines 628,629

    to such:

     

    $objCertBag.AddValue(“CertValidFrom”, [datetime]$_.cert.NotBefore.ToUniversalTime())
    $objCertBag.AddValue(“CertValidTo”, [datetime]$_.cert.NotAfter.ToUniversalTime())

  103. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Nicholas
    I’d love to do this – but I am afraid that changing the class model will break upgrade compatibility.
    I do realise that it is due to the “string” interpretation, that one cannot properly sort on the state views.
    Raphael

  104. Profile photo of Raphael BurriRaphael Burri Post author

    To everyone following this space:

    I’ve just uploaded the update to version 1.3.0.0. Please have a look at the changes section of the MP guide plus the updated release notes, before you attempt to upgrade.

    Due to the changes in the alert format, it is required to reset all pending alerts from this MP (states to be exact) and let them be recreated. Otherwise you’ll experience alert parameter replacement issues (alerts showing {0} instead of text).

    Also – the newly added MP ReDiscoveryTasks is entirely optional. The security warning during import originates from a SCOM management server-side write action included (the one that triggers immediate re-discovery).

    Raphael

     

  105. Profile photo of Arthur SilvanyArthur Silvany

    Hi,

     

    When I override the certificate lifespan monitor to critical, the alert remains warning(about to expire alert). Does the new mp correct this?

    Arthur

  106. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Arthur

    No, no changes there. Let me explain a bit. The lifespan monitor is a 3-state monitor. Unfortunately there are some design limitations around that type of monitor. The lifespan monitor is implemented as such:

    It will by default rise an alert when the warning condition (<21 days left) is met. The alert is also written with warning severity. If the certificate then expires, the monitor will change to critical – however; the alert is not recreated nor is its severity changed (that is the standard SCOM behaviour).

    Using overrides, you may change:

    – the threshold for the warning condition

    – “Alert on State”: if set to critical, no alert will be triggered BEFORE the certificate expires

    – “Alert Severity” and “Alert Priority”: So you can have a critical alert created.

    If you set both the “Alert on State” and the “Alert Severity” overrides, you can have a CRITICAL alert created, when the CRITICAL health state condition is met (the certificate expired). However; you will no longer get an alert ahead of time. Just the health state change.

    Raphael

  107. Profile photo of Julian Milano (JDMils)Julian Milano (JDMils)

    I’m getting a lot of alerts/subscriptions for certificates either about to expire or expired but I only want alerts/subscriptions for certificates containing the string “ABCDEFGH” and all others should be disregarded.

    This string will appear in one or more of the following sections of the certificates:

    * Display Name
    * Subject

    I’ve created a generic subscription for expired certs using the Alert Monitor: Certificate lifespan, but how do I customize the subscription to only activate when the string is present in the cert properties?

    Thanks.

  108. Pingback: SCOM: Updates PKI Certificate Verification MP – v1.3.0.0 | OpsMan

  109. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Julian

    SCOM has a rather limiting issue with the “specific text in description” filter on the subscription. One cannot use text that is part of a parameter – just static text will work. As the certificate subject is dynamically added during alert creation, any subscription trying to filter on it will not trigger. See KB 978359 for some background information.

    Basically I see three ways to get your subscription working:

    a)Define your subscription, export the “Notification Internal Library” MP and modify the rule. Replace “AlertDescription” with “AlertParams” (the alert parameters column name in the dbo.Alert DB table) and re-import the MP. Huge caveat: Every time you modify the subscription in the GUI, your changes will be lost.

    b) Define a discovery filter to have only those certificates monitored by SCOM that contain your string in the subject.

    c) Create a dynamic group with certificates matching your string in the “Subject” property; then use “any instance of a specific group” for your subscription.

    When it comes to subscriptions, I like creating dynamic groups with the objects that need to have their alerts forwarded (certificates in your case) – and then use that group as a target for the subscription. Such I won’t have to worry about the filter syntax plus everyone can easily verify which objects would have their alerts sent out through a subscription. Just look at the members of the group.

    Raphael

  110. Profile photo of JonnyDJonnyD

    I got an alert saying this certificate has expired on one of my servers

    Alert description: The certificate has expired on 12/31/2002 07:00:00 UTC. Certificate Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation, OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 1997 Microsoft Corp. Certificate Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp. Serial number: 198B11D13F9A8FFE69A0 Store Name: Intermediate Certification Authorities Store Key: CA Store Provider: SystemRegistry Store Type: LocalMachine Monitoring User: NT AUTHORITY\SYSTEM Chain Time Details: — Certificate Status — NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. — Chain Status Overview — Level 0:CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp. IsVerified

    any idea?

  111. Profile photo of SCOMSCOM

    Hi,

    I have recently imported the “SystemCenterCentral.Utilities.Certificates.mpb” in my scom 2012. The issue I face is that, in monitors it does not show Certificate Lifespan monitor. I have been advised by my client to change the settings but I cant as the monitor is not listed at all. To be sure, I checked the mpb using MP Viewer and it shows there but not in SCOM. Please help.PKI MP

  112. Profile photo of Peter SvenssonPeter Svensson

    Hi!

     

    Great MP! Will save as a ton of issue regarding Certificates.

    When testing the CRL monitoring we got an alert “CRL Update Required”. In the Alert details it states: Update is/was required by: 08/26/2015 07:25:23

    However, the alert was created 2015-08-27 12:51:30. Thats  more than 24 hours after update is required. The monitors runs every 4 hours if I am correct. And we haven’t changed any override values.

    Are we missing something and the way the monitor works?

    Regards Peter

  113. Profile photo of NarenNaren

    Hi,

    I have downloaded and imported successfully the PKI MP Download: PKI Certificate MP 1.3.0.0 (SCOM 2012)

    Also setup the Run As profile and privileges provided, but still it does not show up any servers under the Monitoring -> Certificates about to Expiry/valid, etc.

    Please advise, what else need to be done from our end to get the alerts for the certificates about to expiry

    Thanks,

    Naren.

  114. Pingback: Bluewin Hosting Center | The Best Online Hosting

  115. Profile photo of ScottScott

    It appears there is an issue with the “Monitoring Disabled (by Friendly Name)” view.

    Currently the view shows Certificates where the Friendly Name matches the following pattern:

    %_disabled

    However, in actuality, the pattern that will show certificates that are disabled from monitoring is this:

    %DoNotMonitor

    For example, right now if I open the sealed view from the management pack it shows no certificates, even though I have disabled many. However, if I create my own view in my workspace and use the second pattern above, that view will show me all the certificates I have disabled for monitoring.

    I’m hopeful this will be fixed in a future update. Also, I know the date fields are actually text and so are not sortable, and changing that would break the update-ability of the management pack, but speaking for myself (and probably more than a few others) it would be worth it for me to have to delete the old pack and start over with a new pack where the dates sort correctly.

    Anyway, love this management pack, and thanks!

  116. Profile photo of ScottScott

    Also, I would love to see a way to have a ‘Warning’ alert at X days and then a ‘Critical’ alert at Y days from expiration.

    Alternatively or additionally, if the MP were to gather the hours-to-expiration as a perfmon stat on the cert we could all write our own monitors that trigger based on our internal policies.

  117. Profile photo of MC-RIch EllisMC-RIch Ellis

    Installed on our SCOM 2012 R2 UR7 SCOM Server and got the message below. Any ideas? TIA

     

    PKI Certificate Validation V2 could not be imported.

    If any management packs in the Import list are dependent on this management pack, the installation of the dependent management packs will fail.

    Cannot find resource with ID Res.TwoGroupCustomConfigurationReportDataGet_Install, Res.TwoGroupCustomConfigurationReportDataGet_Uninstall, Res.TwoGroupCustomConfigurationReportDataGet_Upgrade, Res.CustomConfigurationReport, Res.CustomGroupConfigurationReport, Res.CustomTwoGroupConfigurationReport, SCC_banner_landscape.jpg, SCC_banner_portrait.jpg, SystemCenterCentral.Utilities.Certificates.CertCRLGroup.Image16, SystemCenterCentral.Utilities.Certificates.CertCRLGroup.Image80, SystemCenterCentral.Utilities.Certificates.Components.Image16, SystemCenterCentral.Utilities.Certificates.Components.Image80, SystemCenterCentral.Utilities.Certificates.SoonToExpireCertGroup.Image16, SystemCenterCentral.Utilities.Certificates.SoonToExpireCertGroup.Image80, SystemCenterCentral.Utilities.Certificates.InvalidCertGroup.Image16, SystemCenterCentral.Utilities.Certificates.InvalidCertGroup.Image80, SystemCenterCentral.Utilities.Certificates.ValidCertGroup.Image16, SystemCenterCentral.Utilities.Certificates.ValidCertGroup.Image80, SystemCenterCentral.Utilities.Certificates.Certificate.Image16, SystemCenterCentral.Utilities.Certificates.Certificate.Image80, SystemCenterCentral.Utilities.Certificates.CRL.Image16, SystemCenterCentral.Utilities.Certificates.CRL.Image80, SystemCenterCentral.Utilities.Certificates.CertStore.Image16, SystemCenterCentral.Utilities.Certificates.CertStore.Image80, SystemCenterCentral.Utilities.Certificates.CurrentCRLGroup.Image16, SystemCenterCentral.Utilities.Certificates.CurrentCRLGroup.Image80, SystemCenterCentral.Utilities.Certificates.NotUpdatedCRLGroup.Image16, SystemCenterCentral.Utilities.Certificates.NotUpdatedCRLGroup.Image80, SystemCenterCentral.Utilities.Certificates.RootCertificate.Image16, SystemCenterCentral.Utilities.Certificates.RootCertificate.Image80.

  118. Profile photo of WesleyWesley

    Does anyone know what the official license for this Management Pack is? I am looking to deploy this at a corporate client of mine, and there is some concern over using “free” software when the license is unclear. I have tried reaching out to the author via email and have not yet received a response.

  119. Profile photo of MichaelMichael

    Hi,

    I’ve seen a comment here regarding Event ID 119 and I got similar Events on some Servers.

    Event ID 119: Certificate_Verify_Script_V5.ps1 : Unable to load and extend System.Security.Cryptography.X509Certificates namespace with X509CRL2. Retrying on the next script run.

    Do you have any idea how to fix this?

     

  120. Profile photo of Peter SvenssonPeter Svensson

    Hi!

    We have 3 CRL:s that get discovered and we get these CRL objects in SCOM. Here is the 112 Event ID from OpsManager Log on that server.

    Certificate_Verify_Script_V5.ps1 : Script enumerated certificates and CLRs from store ‘LocalMachine\SystemRegistry\My’

    N° of certs: 5 of 5
    N° of CRLs: 3 of 3

    The property bags of this script are being consumed by discovery as well as monitoring workflows.

     

    Then we added 2 more CRL:s. We dont get these back as objects, its only the 3 that was there before. Here is the output from the log.
    Certificate_Verify_Script_V5.ps1 : Script enumerated certificates and CLRs from store ‘LocalMachine\SystemRegistry\My’

    N° of certs: 8 of 8
    N° of CRLs: 3 of 5

    The property bags of this script are being consumed by discovery as well as monitoring workflows

    So it seems to find 2 more but states N of CRLs: 3 of 5. And its only showing 3 in the CRL State view.  What does this mean?

     

     

     

  121. Profile photo of Raphael BurriRaphael Burri Post author

    Hi Peter

    The script skipping CRLs could be due to a configured “issuer” filter. The same regular expression is being applied for certificates as well as CLRs.

    May I suggest you temporarily activate debugging on the CRL discovery rule (override)? This should give you more details on the evaluation process by writing extra events to the event log.

    Raphael

  122. Profile photo of Peter SvenssonPeter Svensson

    Hi Raphael!

    Thanks for the reply.

    I did enable debug on the CRL Discovery. (No special Overrides are done on the Discovery, its the default one)

    Looking in the Eventlog:
    It still only finds Three CRL:s (Event ID 115). It also finds 8 Certificates (Event ID 114). But I only find One Certificate object in SCOM.

    How can you tell in the Event log which one the Discovery creates an object for?

  123. Profile photo of Peter SvenssonPeter Svensson

    Hi!

    Some more update on this issue.

    I changed the “Enhanced Keu Usage Filter – Exclude (RegEx) Discovery from ^1\.3\.6\.1\.4\.1\.311\.47\.1\.(1|3)$ to ^$ on the specific server. Still the same output from the debug logs as above.

    So there is something fishy with the Discovery that I don’t quite understand.

  124. Profile photo of Deyan KochevDeyan Kochev

    Dear Raphael,

    Thanks for the great work! I am confused because some Articles refer to the following:

    Note:
    The Management Packs for Active Directory Certificate Services monitors the core Certification Authority, but does not monitor Certificate Services role services (such as the Online (OCSP) responder, Network Device Enrollment Services (NDES), Certificate enrollment web services, NDES, or CA web enrollment).

    Is this true or it is already changed in the newer versions of the management pack?

     

  125. Profile photo of CasperCasper

    Need help…

    I installed the MP. I created an override to discover the personal certificate store for all servers. I got all the expected Certificate Stores. However when I go into the Personal store on some of the servers they have expired certificates, which the MP does not show. It doesn’t even seem to discover them. Why does it only discover some of the certificates? Iwent ahead and searched for “certificate” on the Object Discoveries and have now tried pretty much enabling everything I can find that seems even remotely relevant, but without luck. Here are some details of a certificate it does not show:

    [REMOVED]

    The certificate is placed in –> Certificates (Local Computer) –> Personal –> Certificates. I can see that in this location we have 9 certificates, but I only get 1 of them shown in SCOM by the MP.

    Any ideas?

    EDIT: I updated to version 1.3 and then made 2 overrides:
    – Discovery of local computer’s certificate store “MY / Personal” (registry)
    – Discover Self-Signed Certificates (locally)
    After about 10 minutes they all started showing up. However now I’m curious why it shows expired certificates as healthy. It lists them under expired certificates, but they are listed as healthy and we get no alert for them?

    EDIT2: Waiting another 30 minutes and reading the guide helped. After 30 minutes most of the certificates changed to a warning. The few that didn’t had been superseeded by new certificates.

  126. Profile photo of sliveseyslivesey

    I just installed version 1.3x with the QuickStart overrides.  On a significant number of my agents, I am not discovering any certificates.  In MPStudio, I can see that the discovery workflows are running, but when I check the agent servers’ OperationsManager event log, I see a stream of repeating event ID 111 and 112 events.

     

    What do these indicate and what can I do to remediate?

     


     

    Log Name:      Operations Manager
    Source:        Health Service Script
    Date:          1/12/2016 11:13:15 PM
    Event ID:      111
    Task Category: None
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      SERVERNAME.COMPANY.com
    Description:
    Certificate_Verify_Script_V5.ps1 : Script starting with default certificate verification flags as the overridden parameters were invalid:

    Parameters:
    ———–
    storeName: My
    storeProvider:
    storeType:
    revocationFlag:
    revocationMode:
    verificationFlags:
    expiryThresholdDays: 31
    debugParam: false

    PowerShell Host / Version / PID:
    ——————————–
    OpsMgr PowerShell Host / 2.0 / 3312

    Exception Detail:
    —————-
    Cannot convert value “” to type “System.Security.Cryptography.X509Certificates.X509RevocationFlag” due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are “EndCertificateOnly, EntireChain, ExcludeRoot”.
    Cannot convert value “” to type “System.Security.Cryptography.X509Certificates.X509RevocationMode” due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are “NoCheck, Online, Offline”.
    Cannot convert value “” to type “System.Security.Cryptography.X509Certificates.X509VerificationFlags” due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are “NoFlag, IgnoreNotTimeValid, IgnoreCtlNotTimeValid, IgnoreNotTimeNested, IgnoreInvalidBasicConstraints, AllowUnknownCertificateAuthority, IgnoreWrongUsage, IgnoreInvalidName, IgnoreInvalidPolicy, IgnoreEndRevocationUnknown, IgnoreCtlSignerRevocationUnknown, IgnoreCertificateAuthorityRevocationUnknown, IgnoreRootRevocationUnknown, AllFlags”.

    Event Xml:
    <Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
    <System>
    <Provider Name=”Health Service Script” />
    <EventID Qualifiers=”0″>111</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime=”2016-01-13T04:13:15.000000000Z” />
    <EventRecordID>659368</EventRecordID>
    <Channel>Operations Manager</Channel>
    <Computer>SERVERNAME.COMPANY.com</Computer>
    <Security />
    </System>
    <EventData>
    <Data>Certificate_Verify_Script_V5.ps1</Data>
    <Data>Script starting with default certificate verification flags as the overridden parameters were invalid:

    Parameters:
    ———–
    storeName: My
    storeProvider:
    storeType:
    revocationFlag:
    revocationMode:
    verificationFlags:
    expiryThresholdDays: 31
    debugParam: false

    PowerShell Host / Version / PID:
    ——————————–
    OpsMgr PowerShell Host / 2.0 / 3312

    Exception Detail:
    —————-
    Cannot convert value “” to type “System.Security.Cryptography.X509Certificates.X509RevocationFlag” due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are “EndCertificateOnly, EntireChain, ExcludeRoot”.
    Cannot convert value “” to type “System.Security.Cryptography.X509Certificates.X509RevocationMode” due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are “NoCheck, Online, Offline”.
    Cannot convert value “” to type “System.Security.Cryptography.X509Certificates.X509VerificationFlags” due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are “NoFlag, IgnoreNotTimeValid, IgnoreCtlNotTimeValid, IgnoreNotTimeNested, IgnoreInvalidBasicConstraints, AllowUnknownCertificateAuthority, IgnoreWrongUsage, IgnoreInvalidName, IgnoreInvalidPolicy, IgnoreEndRevocationUnknown, IgnoreCtlSignerRevocationUnknown, IgnoreCertificateAuthorityRevocationUnknown, IgnoreRootRevocationUnknown, AllFlags”.
    </Data>
    </EventData>
    </Event>

  127. Pingback: The Anatomy of a Good SCOM Alert Management Process – Part 2: Road blocks to good alert management. - Working with System Center - Site Home - TechNet Blogs

  128. Profile photo of Mathieu LacosteMathieu Lacoste

    Hello, I really like the MP and thank you very much for it. However, I have a strange bug with the 2007 R2 version of the MP, when discovering the “Intermediate Certification Authorities Computer Certificate Store”

    the following error occurs:

    **************

    The process started at 15:25:48 was terminated due to a failure in collecting output due to error ‘0x80070057 : The parameter is incorrect.

    ‘, some data may have been lost.

    Command executed: “C:\Windows\system32\cscript.exe” //nologo “C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 35\2150\SystemCenterCentral.Utilities.Certificates.LocalScriptProbe.vbs” CookDown “CA” false

    Working Directory: C:\Program Files\System Center Operations Manager 2007\Health Service State\Monitoring Host Temporary Files 35\2150\

    One or more workflows were affected by this.

    Workflow name: SystemCenterCentral.Utilities.Certificates.LocalScriptProbe.CRL.Discovery

    Instance name: Intermediate Certification Authorities Computer Certificate Store

    ************************

    It seems related to the certificate called : “Microsoft Windows Hardware Compatibility” which is of course expired because when I remove the certificate, the error seems to go away. Our client doesn’t want this certificate to be removed from the store (for whatever reason…).

    Any clues?

    Thanks!

    Mathieu

     

     

  129. Pingback: SCOM Certificate Monitoring – does the Health Service really use the correct Certificate? - Operating Operations Manager - Site Home - TechNet Blogs

  130. Profile photo of krysredkrysred

    I have started using the 1.3.0.0 version of this MP in SCOM 2012 R2.  After enabling the discoveries and waiting a full 24 hours, I am only seeing 8 out of 17 certificates from the Trusted Root Certification Authorities store.  I have tweeked the overrides trying to capture all of them but no luck.  What am I missing?

  131. Profile photo of krysredkrysred

    So related to my previous post, I found the powershell script in the unsealed file and see that it is using the StoreProvider = SystemRegistry.  It looks like you programed in the ability to change this to System, which when I do that and manually run the script results in all of my certs being discovered.  How can I get some to run the script with the variable set to System?

  132. Profile photo of ArunzArunz

    Hi,

    I’ve problem Monitoring CRL with this MP, Does it work for anyone?

    After Deploying the MP, all the Certificates in the Personal store can be monitored without any issues but the CRL’s are not monitored and are not showing as monitored on the dashboard.

    Certificates validity

    the highlighted servers are the root CA’s on which the CRL (URL link is hosted on IIS)

    Any suggestions or help here to fix this is highly appreciated.

    Thank you!

  133. Profile photo of David SjölundDavid Sjölund

    Thanks for a great MP!

    Would it be possible to include Subject Alternative Name as a property in the certificate Discovery?
    It would be nice to see if a cert has a SAN in the state view.

    /David

  134. Profile photo of MarvinMarvin

    Hi,

    How Can i do to modify the certificate class properties as such

    <Property ID=”CertValidFrom” MinLength=”0″ CaseSensitive=”false” Key=”false” Type=”datetime”/>

    <Property ID=”CertValidTo” MinLength=”0″ CaseSensitive=”false” Key=”false” Type=”datetime”/>

     

    and also the output in the ps1 file

    to such:

    $objCertBag.AddValue(“CertValidFrom”, [datetime]$_.cert.NotBefore.ToUniversalTime())
    $objCertBag.AddValue(“CertValidTo”, [datetime]$_.cert.NotAfter.ToUniversalTime())

    do i have to update the management pack ? how do i do? is there another way?

    thank you!

  135. Pingback: The Anatomy of a Good SCOM Alert Management by Nathan Gau | Scompanion

  136. Profile photo of MarkB2MarkB2

    Hi Raphael

    Firstly, many thanks for your efforts producing and maintaining this MP. It is an awesome piece of work and fills a huge gap.

    I am trying to monitor our local certificate server. I have installed version 1.3.0.0 and am not seeing what I expected. Steps I have taken:-

    I have enabled the discovery “Discovery of local computer’s certificate store “My / Personal” (registry)” for the certificate server.

    When I look in the Operations Manager event log on the certificate server I can see EventID 110 – Certificate_Verifiy_Script_V5.ps1 starting.

    The next EventID is 112 – Certificate_Verify_Script_V5.ps1 : Script enumerated certificates and CLRs from store ‘LocalMachine\SystemRegistry\My’

    N° of certs: 1813 of 1813
    N° of CRLs: 0 of 0

    The property bags of this script are being consumed by discovery as well as monitoring workflows

    This is the correct number of certificates in the store. However, I only see 1 expired certificate in the SCOM state view.

    I have read through the previous posts and you recommended enabling the Debug option (Nice addition by the way). So I created an override for the discovery “Discover Non-CA Certificates (locally)”. Now on the certificate server I see the same EventID 110 and loads of EventID 112 (One for each certificate).

    It appears that the discovery process is working but it is not populating the groups and state views in SCOM. Am I missing something?

    Thanks

    Mark

  137. Profile photo of brunovarbrunovar

    Hi,

    I’ve installed the version 1.3.0.0 and the MP is working well 🙂

    There is only  a problem with the “Monitoring Disabled (by Friendly Name)” that remain empty. The view shows Certificates where the Friendly Name matches the following pattern:

    %_

    but in the disabled Certificates in the Friendly Name you have:

    _DoNotMonitor

  138. Profile photo of TiagoTiago

    Hi,

     

    is there a way to ignore certificates that have expired for a long time (for instance, 6 months) ? I got several alerts stating that the certificate X is expired for more than one year, however, those certificates remains in the store and have not been deleted.

     

    regards.

    Tiago

  139. Pingback: SCOR 2012: Monitor expired CA certificates | SystemCenterTipps

  140. Profile photo of JoeJoe

    First of all, thanks for the work put into creating this MP.  Very useful in our environment.

    I’m trying to figure out how to exclude discovery of multiple Certificate templates that are configured for auto-enrollment.  I would like to use OID’s to filter them out as some machines are not domain connected and don’t display the template name in the Cert store.

    I found the location where to filter, but can’t figure out how to add multiple OID’s:

    Object Discovery Name: Discovery of local computer’s certificate store “My / Personal” (registry)

    Parameter Name: Certificate Template Filter – Exclude (RegEx)

     

    Thanks for any help.

  141. Profile photo of KenKen

    Great MP. Is there a way to configure the MP to add an additional warning notification for 10 days before certs expire? So in essence alerts would come in at the 21 day mark (default) and if the issue hasn’t been resolved by the 10 day mark another warning alert would be generated. Thanks in advance.

  142. Profile photo of Daya RamDaya Ram

    Hi,

    How can we apply override on include regular expression to check for multiple Certificate issuer? I had 3 certificate issuers and need to get certificates from these and exclude rest from other issuers.

    Regards,

    Daya Ram

  143. Profile photo of Daya RamDaya Ram

    Hi Everyone,

    Could anyone help me on this query please?

    How can we apply override on include regular expression to check for multiple Certificate issuer? I had 3 certificate issuers and need to get certificates from these and exclude rest from other issuers.

    Regards,

    Daya Ram

Leave a Reply