Raphael Burri's blog

Mostly about Systemcenter Operations Manager 2012

PKI Certificate Verification Management Pack

Posted by rburri on September, 2 2009

PKI certificates are used to provide SSL encryption for web sites, to secure cross-server traffic (for example to join security gateways or agents in untrusted domains on OpsMgr), to guarantee the identity of the sender of a message and so on. What all certificates have in common is that their destiny often means to be forgotten after having been requested and installed. Until a certificate becomes invalid that was vital to a service. Mostly because it has expired.

To avoid service interruptions or embarrassment due to SSL warning messages displayed to users, the PKI Certificate Verification Management Pack was born. It discovers certificates and certificate revocation lists stored locally on computers and alerts you when:

  – a certificate’s lifetime is about to expire (by default 21 days in advance)
  – a certificate’s lifetime has ended
  – a certificate has become invalid because of a different reason
  – a CRL has not been updated in a timely manner

The MP also includes a series of inventory reports, which help keeping up with all those certificates in your environment. You will find more details in the comprehensive MP guide.

PKI_Certificate_Screenshot

Certificate Verification Screen Shot
Download

The MP and the guide are available for download at the SystemCenterCentral.com site:

Download from SystemCenterCentral.com MP Catalog

I wrote the MP in close collaboration with Pete Zerger and Jaime Correia of the SCC community. Without their help and the support of everyone testing the MP, it wouldn’t be here today.

MP Creation Zen

And there’s more! For everyone interested in learning how to author MPs: Have a look at the 6 part series MP Creation Zen. The articles will walk you through the process of writing an MP, carefully clarifying everything you need to know. Whenever possible, all authoring examples are explained using the new and much improved OpsMgr 2007 R2 Authoring Console, telling you how the PKI Certificate Verification MP was written. I recommend the documents to everyone planning to write a Management Pack by themselves without being application developers.

About these ads

17 Responses to “PKI Certificate Verification Management Pack”

  1. Great job! Really a MP what many customers ask for. Thanks so much.

    Will post about this MP on my blog, all credits to you all of course.

  2. Pavel Rybakov said

    Great work as usual.. Very thoroughly built and documented MP.
    Thank you Raphael…

  3. Pavel Rybakov said

    I am not sure if this is a glitch, but if you look in any of the State views for the discovered Certificates, you will find that the Path value for the certificate will contain word “My” after the computer name. Example: “server1.contoso.com;My”. But if I look at the Path Name attribute value for the same certificate object it will contain something like: server1.contoso.com\Personal Computer Certificate Store\Certificate certificatename.consoto.com

    It is possible that “My” is the part of the registry path?… i didn’t really look through the discovery script.

    this is very minor issue and does not affect functionality ….

    • rburri said

      Pavel
      “My” is the internal (registry) key name of the personal certificate store that hosts your certificate. I’ve chosen this as the primary key of the certificate store objects (you’d see CA, Root etc. as well if you chose to discover other stores as well). If you attempt to use the CertUtil command, you’ll need to use exactly these strings to select a given certificate store as a target.

      “Personal Computer Certificate Store” on the other hand is the Display Name property of the same object.

      What is a bit confusing is that OpsMgr is displaying the path in two different ways: In the state view it is composed of the primary key attribute values – the path name attribute is composed from the display names of the path objects.

      Cheers,
      Raphael

  4. […] take a look on PKI Certificate Verification Management Pack, other good MP, from Raphael Burri, Pete Zerger and Jaime […]

  5. Maekee said

    Hi Raphael,
    I am using the MP and is very happy about it, this is something Microsoft should have created a long time ago.. but until then will use this. One thing i hope you have heard of so its not just me, i am using 1.0.0.270 today and when 1.0.0.288 came out i imported that but one not so fun thing happened, all or our Agents stopped recieving the Config Data, created a call to MS Premier Support and they found that it was the PKI Certificate MP that caused it, removed it and it started working again. Now installed the 270-version of the MP and it works. But i have a issue with it, the Valid From and Valid To is incorrect on almost half of our certificates that is located under “Certificates – Valid” State View.
    These Certificates have the same Valid from and Valid to, and that is the information from the RootCA-certificate under Trusted.

    I dont dare to update this MP again if i dont know that you have found the issue that caused all of my agents to stop recieving new config.

    Can i fix the Attribute of Valid to/from myself?

    /Maekee

    • rburri said

      Hi Makee
      Sorry to hear you had to go through so much trouble with the latest version of the MP. I am using the MP at several sites myself and have not experienced similar issues.
      However; there might indeed be situations when the agents begin to lock up after an upgrade. The reason are internal changes to the MP which will actually break the upgrade compatibility of any override MPs referencing the PKI Certificate MP. As they are not sealed OpsMgr will fail to check them for upgrade compatibility and mights subsequentially refuse to load any other MPs. In the release notes I have a note about that.

      Do you think you could test in a non-productive environment if the situation is not appearing when you remove 270 before importing 288?

      If your agents still stop receiving updates then there must be something wrong in the MP and I’ll definately attempt to fix it as quickly as possible.

      Raphael

  6. Ramesh said

    1. Can’t we upgrade the PKI Cert MP’s latest version 1.0.1.15 from 1.0.0.280 as its an unsealed MP OR due to its change below?

    Broke upgrade path to avoid potential agent stale issues when upgrading from V 1.0.0.280 or earlier.

    2. Also I see few more agents that have not discovered its personal cert store in the inventory node. Error from win2k server where I copied the certutil.exe

    SystemCenterCentral.Utilities.Certificates.LocalScriptProbe.vbs : Discovery: The certificate verification script did not get a valid result back from CertUtil.exe. The error message was:
    CertUtil: -verifystore command FAILED: 0x800b0101 (-2146762495)

    • rburri said

      Hi Ramesh
      1: This is expected. You’ll have to remove the previous version before being able to import the latest one. I have attempted to explain why I took the difficult decision to do that in the post.
      2: Does the certutil command you copied to your W2K servers run correctly when you use it manually? CD into the installation directory, then run ‘certutil -verifystore -v MY’. Be sure to use binaries from a Windows 2003 SP2 server (or image) and do not replace the W2K ones in the Windows installation directory. The procedure is explained in the release notes.

      If you need additional help please send me an email at “raburri ( at ) bluewin (dot) ch”

  7. […] Community […]

  8. OpsMgr certificate expiration (#SCOM, #SYSCTR)…

    Recently I had an opportunity to spend an hour with a group ……

  9. Simon Murray said

    Is it possible to filter on the certificate template? We have a number of computer certificates which renew automatically and I don’t want to monitor these. I would only like to monitor web server certificates and some other template types. I’m monitoring the local machine store “My”, but don’t see the certificate template being captured in the discovery. I’m looking for a way to filter out certificate templates which are installed in the local machine store which I am not concerned about.

    • rburri said

      Hi Simon
      Unfortunately this is not possible even with the latest update to the MP. The template is not being picked up by the script.
      Raphael

  10. Kevin Wornell said

    I am just getting this MP up in our environment. I am seeing a lot of Alerts about certificates that expired a long time back. Is there any way to set an override to only look for Certs that were issued after say January 1 2010?

    • rburri said

      Hi Kevin
      Unfortunately such a filter is not part of the current MP design (this includes the latest updates).
      Raphael

  11. Scommer said

    HI all

    First I want to say thanks for this MP,
    I have some problems by discovering the CRL’s in different CA stores.
    I’m using SCOM 2012 R2 and the discovery runs on WIndows Server 2008 R2.

    Does anyone have the same issue? Or have any idea?

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: