Many years have passed since I first published the certificate MP back in summer 2009. Almost 5 years(!) later this management pack still fills a gap by keeping an eye on PKI certificates installed locally in servers’ certificate stores. Certainly about time for an update.
Today I am able to release a major update – a complete re-write rather – of the PKI Certificate Verification MP. It is hosted over at SystemCenterCentral.com in the MP Catalog.
MP change history
- SCOM 2012 / 2012 R2 support only (the legacy MP 1.0.1.20 is still available for use on SCOM 2007).
- main monitoring script now uses PowerShell instead of VB Script, making it compatible with any system locale and easier to maintain.
- new, advanced certificate verification flag overrides
- dashboard view
Some extra words on the effort
The main aim with this update is to make the MP’s code easier to maintain. Hence I first recreated the entire MP as a Visual Studio project with the Authoring Extensions. This involves taking apart the MP’s elements, adding each one as a separate item to a VS project structure. Next I started writing a new discovery and monitoring script based on PowerShell. This script does most of the work by essentially enumerating certificates and certificate revocation lists in local certificate stores. Due to limitations in PowerShell regarding CRLs and alternate certificate stores, this script got rather complex. No chance of getting away with something easy and straight forward as ‘ls cert:\LocalMachine’. With the first CRLs getting discovered, tests, more tests, some extra testing plus updating the documentation were left.
While I did not clock the hours, the update kept me busy in much of my spare and commuting time during the last 4 months. And I must mention everybody helping with code samples, advise, by testing and reviewing. Pete, Vadim, Marc, Joel, Bob, Dan, Marnix, Stan, Tao and Dirk – this wouldn’t be here today without your help!
MP Solution opened in Visual Studio
Raphael Burri's blog 
Pingback: OpsMan » SCOM: Updated MP PKI Certificate Verification 1.2.0.210
Thanks for this and all your work!
Really appreciate this MP!
Thanks for taking the time to update the MP…great work! I do have a question, the Certificate Revocation List is empty and unmonitored even though the Certificate Stores are discovered. How do I enable monitoring for the CRLs? Thanks!
Hi Magnus
If a store does contain CRL(s) and the CRL discovery is activated, they should show up within a few hours. If not:
– check if CRLs are indeed saved in the store being monitored and not simply mapped (a hint about that is in the release notes).
– Enable “debug” override on the CRL discovery and check for the events mentioned in the MP guide
– Note that the default Windows “Versign” CRL will be discovered but not monitored.
If you’re still having issues, just get in touch with me via email (last page of the MP guide).
Raphael
Thank you for this MP.
However, i am having an issue with the Trusted Root Certificates: for some reason it discovered a lot of certificates from the store named “Trusted Root Certification Authorities” which results in MANY alerts. Yes, i imported the sample overrides that came with the MP. I opened the group that came with the override MP but i’m missing a lot of MS certs in there.
Any idea?
Thanks!
Hi Tommy
Are you sure you need to monitor certificates in the “Trusted Root Certification Authorities” store? If not, please check what override is configured for the discovery of the store: “Discovery of local computer’s Trusted Root CA certificate store (registry)”. By default it is disabled but since you’ve got certificates found in there you must have overridden it.
In order to completely undiscover all certificates from those stores proceed as follows:
1. delete any override enabling above mentioned discovery.
2. create a NEW override for discovery mentioned above and set “Enabled” to “false”
3. open SCOM shell and run “Remove-SCOMDisabledClassInstance”
4. check if the Trusted Root CA stores have gone from SCOM
5. delete the “disable” override you created in step 2.
The “QuickStart” override pack included in the download does only enable discovery of the personal computer stores (My). It should not activate the discovery of any other stores.
Raphael
Thanks, it has been solved.
Really great management pack but I’m having an issue with it.
Our maintenance window is late at night. During scheduled security patching many of the servers are patched via SCCM, unattended. The servers are placed in maintenance mode before patching and after reboot the maintenance mode ends and any system with an existing certificate alert will recreate an alert instead of updating the existing one.
The existing alerts are linked to incidents and we get duplicate incidents because of this.
Is it possible to update the existing alert instead of closing the existing alert and creating a new alert.
Ron,
The MP uses monitors. SCOM will always reset their health state during maintenance mode. Hence the previous alert is closed and a new one created, once MM ends.
Rules do work as you described. At least if AlertSuppression is configured.