Many years have passed since I first published the certificate MP back in summer 2009. Almost 5 years(!) later this management pack still fills a gap by keeping an eye on PKI certificates installed locally in servers’ certificate stores. Certainly about time for an update.
Today I am able to release a major update – a complete re-write rather – of the PKI Certificate Verification MP. It is hosted over at SystemCenterCentral.com in the MP Catalog.
MP change history
- SCOM 2012 / 2012 R2 support only (the legacy MP 184.108.40.206 is still available for use on SCOM 2007).
- main monitoring script now uses PowerShell instead of VB Script, making it compatible with any system locale and easier to maintain.
- new, advanced certificate verification flag overrides
- dashboard view
Some extra words on the effort
The main aim with this update is to make the MP’s code easier to maintain. Hence I first recreated the entire MP as a Visual Studio project with the Authoring Extensions. This involves taking apart the MP’s elements, adding each one as a separate item to a VS project structure. Next I started writing a new discovery and monitoring script based on PowerShell. This script does most of the work by essentially enumerating certificates and certificate revocation lists in local certificate stores. Due to limitations in PowerShell regarding CRLs and alternate certificate stores, this script got rather complex. No chance of getting away with something easy and straight forward as ‘ls cert:\LocalMachine’. With the first CRLs getting discovered, tests, more tests, some extra testing plus updating the documentation were left.
While I did not clock the hours, the update kept me busy in much of my spare and commuting time during the last 4 months. And I must mention everybody helping with code samples, advise, by testing and reviewing. Pete, Vadim, Marc, Joel, Bob, Dan, Marnix, Stan, Tao and Dirk – this wouldn’t be here today without your help!