PKI Certificate Management Pack Update V1.0.1.15

After having had very helpful feedback by various users, I was able to incorporate some enhancement requests for the PKI Certificate Management Pack.

Version will deal correctly specific certificates that have somewhat unusual ‘Issued to’ and ‘Issued By’ properties. Furthermore it will only monitor CA certificates if they haven’t been superseded. Download from You need to register but registration is free.

Changes in version
  • Improved discovery of Issued to and Issued by properties: Will use Subject Alternative Name if certificate doesn’t have a subject and will correctly extract the subject if CN= isn’t encountered on the first line of the subject string.
  • Additional certificate property: CA Version (based on extension szOID_CERTSRV_CA_VERSION). If this property holds a value, that certificate is a Windows CA one.
  • Does no longer discover superseded CA certificates. Evaluation is based on the CA Version property. Additional override to change that behavior if required.
  • Monitors will not mark superseded CA certificates as expired if their discovery is enabled.
  • Expose script timeout as an overridable parameter
  • Changed alert priority to ‘Low’.
  • Broke upgrade path to avoid potential agent stale issues when upgrading from V or earlier.

Please study the included release notes and the MP guide carefully, especially when you’re planning to update from a previous version. I did deliberately break upgrade compatibility after some users had reported stale agent conditions during test cycles. You will need to remove any previous version of the MP from your Management Group before importing the latest one.

Geeky background information

The issues after upgrades were caused by moving the overridable timing parameters from the certificate object workflows to the parent certificate store’s properties. This left already discovered certificate objects’ workflows without any timing information until their parents were re-discovered and got their default timing properties added. During my own test all the agents recovered after that and re-enabled the certificate workflows.

Other users had less luck and ended up with a partly stale agent population that could only be corrected by removing the MP from the Management Group. To avoid issues I simply decided to break the upgrade path and force everyone upgrading to remove the previous MP. Breaking was easy by the way. It only took altering the caption of a property on a public class.

I do apologize for having to make go through the process of removing the MP (and it’s override MPs) before being able to upgrade. On the other hand I wouldn’t want anyone to experience stale agent conditions due to that.

Lesson learned: There are indeed rare conditions under which an MP author may write an upgradeable MP that would pass MPVerify and will import without complaints but still causing upgrade issues on the Management Group. Watch out for those! Test, test, test – then test once more.


10 thoughts on “PKI Certificate Management Pack Update V1.0.1.15

  1. Hi Raphael

    There is a little typo in your Mp in the Alert description.

    The certificatehas expired on 22.02.2011 01:59

    But thanks for your Mp!

    • Hallo Sigi
      Vielen Dank für den Hinweis. Habe es im Code korrigiert. Der nächste Update sollte den Leerschlag dann drin sein 🙂

  2. Pingback: The Catalog! | The Unofficial System Center Catalog

  3. Pingback: Operations Manager: “Is there a management pack for … ?” | The Unofficial System Center Catalog

  4. Hello,

    We have a root and intermediate CA that are not a member of the domain and my AD guys want SCOM to check if the CDP’s are up to date in AD. Does this MP have this capability?

    Thank You,

    • Hi Stephen
      The MP will scan the certificate stores local to a computer out of the box. Hence it will discover certificates (and CRLs) found on a computer where a SCOM agent is installed and check if they are valid or about to expire. This will also work for CAs and/or AD controllers.
      Hence it should actually alert you if the CRLs in a CDP haven’t been updated granted you have made SCOM discover the certificate store those are located in.

  5. Hi Raphael,

    I’m hoping you can help me out… I have downloaded you latest PKI certificate MP (1.01.20), enabled discoveries, and I am seeing our CA’s, Certificates (expired, valid) etc… Only thing which doesn’t seem to work is the CRL states. I see nothing in both the CRL state views, can you advise ?

    It is those that we really need to get working, but not sure why I am not seeing anything.

    Appreciated Mate!!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s