Raphael Burri's blog

Mostly about Systemcenter Operations Manager 2012

PKI Certificate Verification Management Pack Update – 1.2.0.210

Posted by rburri on April, 16 2014

Many years have passed since I first published the certificate MP back in summer 2009. Almost 5 years(!) later this management pack still fills a gap by keeping an eye on PKI certificates installed locally in servers’ certificate stores. Certainly about time for an update.

Today I am able to release a major update – a complete re-write rather – of the PKI Certificate Verification MP. It is hosted over at SystemCenterCentral.com in the MP Catalog.

MP change history
  • SCOM 2012 / 2012 R2 support only (the legacy MP 1.0.1.20 is still available for use on SCOM 2007).
  • main monitoring script now uses PowerShell instead of VB Script, making it compatible with any system locale and easier to maintain.
  • new, advanced certificate verification flag overrides
  • dashboard view
Some extra words on the effort

The main aim with this update is to make the MP’s code easier to maintain. Hence I first recreated the entire MP as a Visual Studio project with the Authoring Extensions. This involves taking apart the MP’s elements, adding each one as a separate item to a VS project structure. Next I started writing a new discovery and monitoring script based on PowerShell. This script does most of the work by essentially enumerating certificates and certificate revocation lists in local certificate stores. Due to limitations in PowerShell regarding CRLs and alternate certificate stores, this script got rather complex. No chance of getting away with something easy and straight forward as ‘ls cert:\LocalMachine’. With the first CRLs getting discovered, tests, more tests, some extra testing plus updating the documentation were left.

While I did not clock the hours, the update kept me busy in much of my spare and commuting time during the last 4 months. And I must mention everybody helping with code samples, advise, by testing and reviewing.  Pete, Vadim, Marc, Joel, Bob, Dan, Marnix, Stan, Tao and Dirk – this wouldn’t be here today without your help!

Certificate MP in VSAE

MP Solution opened in Visual Studio

About these ads

7 Responses to “PKI Certificate Verification Management Pack Update – 1.2.0.210”

  1. […] here for additional […]

  2. Aengus said

    Thanks for this and all your work!
    Really appreciate this MP!

  3. Magnus_001 said

    Thanks for taking the time to update the MP…great work! I do have a question, the Certificate Revocation List is empty and unmonitored even though the Certificate Stores are discovered. How do I enable monitoring for the CRLs? Thanks!

    • rburri said

      Hi Magnus
      If a store does contain CRL(s) and the CRL discovery is activated, they should show up within a few hours. If not:
      – check if CRLs are indeed saved in the store being monitored and not simply mapped (a hint about that is in the release notes).
      – Enable “debug” override on the CRL discovery and check for the events mentioned in the MP guide
      – Note that the default Windows “Versign” CRL will be discovered but not monitored.
      If you’re still having issues, just get in touch with me via email (last page of the MP guide).
      Raphael

  4. Tommy said

    Thank you for this MP.
    However, i am having an issue with the Trusted Root Certificates: for some reason it discovered a lot of certificates from the store named “Trusted Root Certification Authorities” which results in MANY alerts. Yes, i imported the sample overrides that came with the MP. I opened the group that came with the override MP but i’m missing a lot of MS certs in there.
    Any idea?
    Thanks!

    • rburri said

      Hi Tommy
      Are you sure you need to monitor certificates in the “Trusted Root Certification Authorities” store? If not, please check what override is configured for the discovery of the store: “Discovery of local computer’s Trusted Root CA certificate store (registry)”. By default it is disabled but since you’ve got certificates found in there you must have overridden it.
      In order to completely undiscover all certificates from those stores proceed as follows:
      1. delete any override enabling above mentioned discovery.
      2. create a NEW override for discovery mentioned above and set “Enabled” to “false”
      3. open SCOM shell and run “Remove-SCOMDisabledClassInstance”
      4. check if the Trusted Root CA stores have gone from SCOM
      5. delete the “disable” override you created in step 2.

      The “QuickStart” override pack included in the download does only enable discovery of the personal computer stores (My). It should not activate the discovery of any other stores.

      Raphael

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: