PKI Certificate Verification Management Pack

PKI certificates are used to provide SSL encryption for web sites, to secure cross-server traffic (for example to join security gateways or agents in untrusted domains on OpsMgr), to guarantee the identity of the sender of a message and so on. What all certificates have in common is that their destiny often means to be forgotten after having been requested and installed. Until a certificate becomes invalid that was vital to a service. Mostly because it has expired.

To avoid service interruptions or embarrassment due to SSL warning messages displayed to users, the PKI Certificate Verification Management Pack was born. It discovers certificates and certificate revocation lists stored locally on computers and alerts you when:

  – a certificate’s lifetime is about to expire (by default 21 days in advance)
  – a certificate’s lifetime has ended
  – a certificate has become invalid because of a different reason
  – a CRL has not been updated in a timely manner

The MP also includes a series of inventory reports, which help keeping up with all those certificates in your environment. You will find more details in the comprehensive MP guide.


Certificate Verification Screen Shot

The MP and the guide are available for download at the site:

Download from MP Catalog

I wrote the MP in close collaboration with Pete Zerger and Jaime Correia of the SCC community. Without their help and the support of everyone testing the MP, it wouldn’t be here today.

MP Creation Zen

And there’s more! For everyone interested in learning how to author MPs: Have a look at the 6 part series MP Creation Zen. The articles will walk you through the process of writing an MP, carefully clarifying everything you need to know. Whenever possible, all authoring examples are explained using the new and much improved OpsMgr 2007 R2 Authoring Console, telling you how the PKI Certificate Verification MP was written. I recommend the documents to everyone planning to write a Management Pack by themselves without being application developers.


18 thoughts on “PKI Certificate Verification Management Pack

  1. I am not sure if this is a glitch, but if you look in any of the State views for the discovered Certificates, you will find that the Path value for the certificate will contain word “My” after the computer name. Example: “;My”. But if I look at the Path Name attribute value for the same certificate object it will contain something like:\Personal Computer Certificate Store\Certificate

    It is possible that “My” is the part of the registry path?… i didn’t really look through the discovery script.

    this is very minor issue and does not affect functionality ….

    • Pavel
      “My” is the internal (registry) key name of the personal certificate store that hosts your certificate. I’ve chosen this as the primary key of the certificate store objects (you’d see CA, Root etc. as well if you chose to discover other stores as well). If you attempt to use the CertUtil command, you’ll need to use exactly these strings to select a given certificate store as a target.

      “Personal Computer Certificate Store” on the other hand is the Display Name property of the same object.

      What is a bit confusing is that OpsMgr is displaying the path in two different ways: In the state view it is composed of the primary key attribute values – the path name attribute is composed from the display names of the path objects.


  2. Pingback: Active Directory Certificate Services MP - Cleber Marques at

  3. Hi Raphael,
    I am using the MP and is very happy about it, this is something Microsoft should have created a long time ago.. but until then will use this. One thing i hope you have heard of so its not just me, i am using today and when came out i imported that but one not so fun thing happened, all or our Agents stopped recieving the Config Data, created a call to MS Premier Support and they found that it was the PKI Certificate MP that caused it, removed it and it started working again. Now installed the 270-version of the MP and it works. But i have a issue with it, the Valid From and Valid To is incorrect on almost half of our certificates that is located under “Certificates – Valid” State View.
    These Certificates have the same Valid from and Valid to, and that is the information from the RootCA-certificate under Trusted.

    I dont dare to update this MP again if i dont know that you have found the issue that caused all of my agents to stop recieving new config.

    Can i fix the Attribute of Valid to/from myself?


    • Hi Makee
      Sorry to hear you had to go through so much trouble with the latest version of the MP. I am using the MP at several sites myself and have not experienced similar issues.
      However; there might indeed be situations when the agents begin to lock up after an upgrade. The reason are internal changes to the MP which will actually break the upgrade compatibility of any override MPs referencing the PKI Certificate MP. As they are not sealed OpsMgr will fail to check them for upgrade compatibility and mights subsequentially refuse to load any other MPs. In the release notes I have a note about that.

      Do you think you could test in a non-productive environment if the situation is not appearing when you remove 270 before importing 288?

      If your agents still stop receiving updates then there must be something wrong in the MP and I’ll definately attempt to fix it as quickly as possible.


  4. 1. Can’t we upgrade the PKI Cert MP’s latest version from as its an unsealed MP OR due to its change below?

    Broke upgrade path to avoid potential agent stale issues when upgrading from V or earlier.

    2. Also I see few more agents that have not discovered its personal cert store in the inventory node. Error from win2k server where I copied the certutil.exe

    SystemCenterCentral.Utilities.Certificates.LocalScriptProbe.vbs : Discovery: The certificate verification script did not get a valid result back from CertUtil.exe. The error message was:
    CertUtil: -verifystore command FAILED: 0x800b0101 (-2146762495)

    • Hi Ramesh
      1: This is expected. You’ll have to remove the previous version before being able to import the latest one. I have attempted to explain why I took the difficult decision to do that in the post.
      2: Does the certutil command you copied to your W2K servers run correctly when you use it manually? CD into the installation directory, then run ‘certutil -verifystore -v MY’. Be sure to use binaries from a Windows 2003 SP2 server (or image) and do not replace the W2K ones in the Windows installation directory. The procedure is explained in the release notes.

      If you need additional help please send me an email at “raburri ( at ) bluewin (dot) ch”

  5. Pingback: The Catalog! | The Unofficial System Center Catalog

  6. Pingback: Cameron Fuller

  7. Is it possible to filter on the certificate template? We have a number of computer certificates which renew automatically and I don’t want to monitor these. I would only like to monitor web server certificates and some other template types. I’m monitoring the local machine store “My”, but don’t see the certificate template being captured in the discovery. I’m looking for a way to filter out certificate templates which are installed in the local machine store which I am not concerned about.

    • Hi Simon
      Unfortunately this is not possible even with the latest update to the MP. The template is not being picked up by the script.

  8. I am just getting this MP up in our environment. I am seeing a lot of Alerts about certificates that expired a long time back. Is there any way to set an override to only look for Certs that were issued after say January 1 2010?

    • Hi Kevin
      Unfortunately such a filter is not part of the current MP design (this includes the latest updates).

  9. HI all

    First I want to say thanks for this MP,
    I have some problems by discovering the CRL’s in different CA stores.
    I’m using SCOM 2012 R2 and the discovery runs on WIndows Server 2008 R2.

    Does anyone have the same issue? Or have any idea?


  10. Hi rburri,
    Hope you’re still checking this. Firstly thanks for your work, I was happy to find it as I was faced with building a PKI MP myself. I’m testing things out and want to monitor root CA certs, we have some cross domain certs in use and the root certs are manually imported and need to be monitored. When I enable discovery of the Trusted Root CA store, I get around 5 certificates listed for Microsoft and Thawte Timestamping, but nothing else. There are 50+ certificates in Trusted Root CA store, why are they not being discovered? And specifically my Domain root CAs? Thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s