After having had very helpful feedback by various users, I was able to incorporate some enhancement requests for the PKI Certificate Management Pack.
Version 184.108.40.206 will deal correctly specific certificates that have somewhat unusual ‘Issued to’ and ‘Issued By’ properties. Furthermore it will only monitor CA certificates if they haven’t been superseded. Download from SystemCenterCentral.com. You need to register but registration is free.
Changes in version 220.127.116.11
- Improved discovery of Issued to and Issued by properties: Will use Subject Alternative Name if certificate doesn’t have a subject and will correctly extract the subject if CN= isn’t encountered on the first line of the subject string.
- Additional certificate property: CA Version (based on extension szOID_CERTSRV_CA_VERSION). If this property holds a value, that certificate is a Windows CA one.
- Does no longer discover superseded CA certificates. Evaluation is based on the CA Version property. Additional override to change that behavior if required.
- Monitors will not mark superseded CA certificates as expired if their discovery is enabled.
- Expose script timeout as an overridable parameter
- Changed alert priority to ‘Low’.
- Broke upgrade path to avoid potential agent stale issues when upgrading from V 18.104.22.1680 or earlier.
Please study the included release notes and the MP guide carefully, especially when you’re planning to update from a previous version. I did deliberately break upgrade compatibility after some users had reported stale agent conditions during test cycles. You will need to remove any previous version of the MP from your Management Group before importing the latest one.
Geeky background information
The issues after upgrades were caused by moving the overridable timing parameters from the certificate object workflows to the parent certificate store’s properties. This left already discovered certificate objects’ workflows without any timing information until their parents were re-discovered and got their default timing properties added. During my own test all the agents recovered after that and re-enabled the certificate workflows.
Other users had less luck and ended up with a partly stale agent population that could only be corrected by removing the MP from the Management Group. To avoid issues I simply decided to break the upgrade path and force everyone upgrading to remove the previous MP. Breaking was easy by the way. It only took altering the caption of a property on a public class.
I do apologize for having to make go through the process of removing the MP (and it’s override MPs) before being able to upgrade. On the other hand I wouldn’t want anyone to experience stale agent conditions due to that.
Lesson learned: There are indeed rare conditions under which an MP author may write an upgradeable MP that would pass MPVerify and will import without complaints but still causing upgrade issues on the Management Group. Watch out for those! Test, test, test – then test once more.