Update January 2019 – gone Open Source
Compatible with SCOM 2016 and 2019
If you are still using or plan to do so: The PKI Certificate Management Pack can now be found in open source on GitHub: https://github.com/rafabu/SCOM-PKICertificateMP
Get the latest release from there and get involved. The downloads on this site will no longer be maintained and eventually removed.
Update June 22, 2015 – Version 188.8.131.52 now available for download.
Compatible with SCOM 2012 and SCOM 2012 R2 only.
NOTE: This update will only import on SCOM 2012 and later.
PKI Certificates serve to protect web sites by enabling SSL, secure cross-server communication and see many other uses.
The PKI Certificate Verification MP discovers PKI Certificates and Certificate Revocation Lists inside computers’ local certificate stores. It helps preventing service interruptions caused by invalid certificates by alerting when:
– a certificate’s lifetime is about to expire
– a certificate’s lifetime has ended
– a certificate has become invalid because of a different reason
– a CRL has not been updated in a timely manner
The MP contains a full set of inventory reports to help you audit certificates. The included guide contains detailed instructions on how to configure the MP. Click the Download links at bottom to download the management pack archive.
The PKI Certificate Verification MP was a jointly developed by Raphael Burri, Pete Zerger and Jaime Correia, specifically for release on the SystemCenterCentral.com site.
An article on MP authoring by the same authors uses the PKI Certificate Verification MP as a sample to explain the concepts and procedures of writing a Management Pack. It is available on the site at the link below
Changes between 184.108.40.206 (August 2014) and 220.127.116.11 (June 2015)
- Added Tasks: Archive Certificate, List Certificate Properties, Disable/Enable Monitoring, Rediscover (in optional add-on MP)
- Added Recoveries: Archive Certificate, Disable Monitoring
- Added Discovery: Web Hosting certificate store (Server 2012 / 2012 R2)
- Additional certificate property: Certificate Template. It is also listed on reports.
- Discovery filter expanded to certificate template.
- Alert description: Additional details on the certificate chain and SCOM action account used.
- CRL Lifetime Monitor: Threshold is exposed as an overridable parameter.
- CRL health roll up monitor added.
- Expiring certificate view & report: Default threshold of 1 month may be overridden.
- Views: Changed criteria on views to make them more reliable when using user scopes.
- Reporting bug: Certificate inventory did not list all certificates.
- Additional MP: Rediscovery Tasks. Immediate trigger of store content discovery after archive, disable/enable or rediscover tasks
Changes between 18.104.22.168 (April 2014) and 22.214.171.124 (August 2014)
- Discovery Filter with include and exclude regular expression on certificate subject as well as on certificate and CRL issuer.
- Discovery Filter on “Ehanced Key Usage”. By default the MP does no longer discover MS Network Access Protection certificates (napHealthyOid and napUnhealthyOid). Other OIDs may be excluded as well.
- PowerShell compatibility monitor got triggered on 2012 (when no PoSh 1.0 key existed).
- Using 1st certificate SAN as subject in case the subject is empty (not defined).
Changes between 126.96.36.199 (March 2012) and 188.8.131.52 (April 2014)
- re-written MP, main logic now based on a PowerShell instead of a VB script.
- full support for Windows Server 2012 (R2)
- dropped SCOM 2007 support (use the legacy version 184.108.40.206 if SCOM 2007 is still a requirement).
- support any system locale.
- advanced certificate validation overrides.
Changes between 220.127.116.11 (March 2011) and 18.104.22.168 (March 2012)
- Corrected a discovery bug that would hit when a server’s locale was non-US and CA certificates were found in the store.
- Fixed some spelling issues in display strings
- Verified OpsMgr 2012 compatibility
Changes between 22.214.171.1248 (released Jun 17, 2010) and 126.96.36.199
- Improved discovery of Issued to and Issued by properties: Will use Subject Alternative Name if certificate doesn’t have a subject and will correctly extract the subject if CN= isn’t encountered on the first line of the subject string.
- Additional certificate property: CA Version (based on extension szOID_CERTSRV_CA_VERSION). If this property holds a value, that certificate is a Windows CA one.
- Does no longer discover superseded CA certificates. Evaluation is based on the CA Version property. Additional override to change that behavior if required.
- Monitors will not mark superseded CA certificates as expired if their discovery is enabled.
- Expose script timeout as an overridable parameter
- Changed alert priority to ‘Low’.
- Broke upgrade path to avoid potential agent stale issues when upgrading from V 188.8.131.520 or earlier.
Changes between 184.108.40.2060 (released April 19, 2010) and 220.127.116.110
- Much more relaxed script timing
- cook down safe timing override option
- public certificate store data source (to add custom certificate stores)
- better compatibility with legacy Operation Systems (2000 & 2003)
- introduces a Release Notes document; which is a must read for updates from any previous release to 18.104.22.1688!
Please read the release notes carefully before attempting an upgrade of any previously released version.
The download consists of a zip archive with the management pack, guide, release notes plus examples:
Download: PKI Certificate MP 22.214.171.124 (SCOM 2016/2019)
Download: PKI Certificate MP 126.96.36.199 (legacy SCOM 2007). Note that this version is no longer being developed.
- SHA-1: 1753524A1A969572EFE0EE9E8301C9FECC83B0AF