PKI Certificate Verification Management Pack Update –

Many years have passed since I first published the certificate MP back in summer 2009. Almost 5 years(!) later this management pack still fills a gap by keeping an eye on PKI certificates installed locally in servers’ certificate stores. Certainly about time for an update.

Today I am able to release a major update – a complete re-write rather – of the PKI Certificate Verification MP. It is hosted over at in the MP Catalog.

MP change history
  • SCOM 2012 / 2012 R2 support only (the legacy MP is still available for use on SCOM 2007).
  • main monitoring script now uses PowerShell instead of VB Script, making it compatible with any system locale and easier to maintain.
  • new, advanced certificate verification flag overrides
  • dashboard view
Some extra words on the effort

The main aim with this update is to make the MP’s code easier to maintain. Hence I first recreated the entire MP as a Visual Studio project with the Authoring Extensions. This involves taking apart the MP’s elements, adding each one as a separate item to a VS project structure. Next I started writing a new discovery and monitoring script based on PowerShell. This script does most of the work by essentially enumerating certificates and certificate revocation lists in local certificate stores. Due to limitations in PowerShell regarding CRLs and alternate certificate stores, this script got rather complex. No chance of getting away with something easy and straight forward as ‘ls cert:\LocalMachine’. With the first CRLs getting discovered, tests, more tests, some extra testing plus updating the documentation were left.

While I did not clock the hours, the update kept me busy in much of my spare and commuting time during the last 4 months. And I must mention everybody helping with code samples, advise, by testing and reviewing.  Pete, Vadim, Marc, Joel, Bob, Dan, Marnix, Stan, Tao and Dirk – this wouldn’t be here today without your help!

Certificate MP in VSAE

MP Solution opened in Visual Studio


9 thoughts on “PKI Certificate Verification Management Pack Update –

  1. Pingback: OpsMan » SCOM: Updated MP PKI Certificate Verification

  2. Thanks for taking the time to update the MP…great work! I do have a question, the Certificate Revocation List is empty and unmonitored even though the Certificate Stores are discovered. How do I enable monitoring for the CRLs? Thanks!

    • Hi Magnus
      If a store does contain CRL(s) and the CRL discovery is activated, they should show up within a few hours. If not:
      – check if CRLs are indeed saved in the store being monitored and not simply mapped (a hint about that is in the release notes).
      – Enable “debug” override on the CRL discovery and check for the events mentioned in the MP guide
      – Note that the default Windows “Versign” CRL will be discovered but not monitored.
      If you’re still having issues, just get in touch with me via email (last page of the MP guide).

  3. Thank you for this MP.
    However, i am having an issue with the Trusted Root Certificates: for some reason it discovered a lot of certificates from the store named “Trusted Root Certification Authorities” which results in MANY alerts. Yes, i imported the sample overrides that came with the MP. I opened the group that came with the override MP but i’m missing a lot of MS certs in there.
    Any idea?

    • Hi Tommy
      Are you sure you need to monitor certificates in the “Trusted Root Certification Authorities” store? If not, please check what override is configured for the discovery of the store: “Discovery of local computer’s Trusted Root CA certificate store (registry)”. By default it is disabled but since you’ve got certificates found in there you must have overridden it.
      In order to completely undiscover all certificates from those stores proceed as follows:
      1. delete any override enabling above mentioned discovery.
      2. create a NEW override for discovery mentioned above and set “Enabled” to “false”
      3. open SCOM shell and run “Remove-SCOMDisabledClassInstance”
      4. check if the Trusted Root CA stores have gone from SCOM
      5. delete the “disable” override you created in step 2.

      The “QuickStart” override pack included in the download does only enable discovery of the personal computer stores (My). It should not activate the discovery of any other stores.


  4. Really great management pack but I’m having an issue with it.

    Our maintenance window is late at night. During scheduled security patching many of the servers are patched via SCCM, unattended. The servers are placed in maintenance mode before patching and after reboot the maintenance mode ends and any system with an existing certificate alert will recreate an alert instead of updating the existing one.
    The existing alerts are linked to incidents and we get duplicate incidents because of this.

    Is it possible to update the existing alert instead of closing the existing alert and creating a new alert.

    • Ron,
      The MP uses monitors. SCOM will always reset their health state during maintenance mode. Hence the previous alert is closed and a new one created, once MM ends.
      Rules do work as you described. At least if AlertSuppression is configured.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s