Question

Notification of an upcoming Internal SSL Certificate expiry in 2003 CA

Asked by: Stoner79

Hello!

Is there a tool, or script that can check if an Internal IIS SSL Certificate is due to expire (1 month's notice will be fine) and to generate an alert/email to a desired receipient?

At present we have a number of certificates logged in a spreadsheet but I'd like to remove the manual checks required for when they expire.

The CA is hosted on 2003 Standard on the DC.

Cheers

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-06-02 at 08:27:36ID24456923
Topic

Windows 2003 Server

Participating Experts
2
Points
250
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. ssl certificates
    I am creating a e commerce web site . I got an email from merchant services and they gave me the prerequisites. A webserver awith an SSL certificate Do I have to buy an SSL certificate or can I make my own. If so how.
  2. SSL Certificates
    What are the differences between SSL Certificates? Some cost like $14.99, some cost like $99. what's the diff?
  3. SSL Certificates
    Where can i get the SSL certificates for my website. Who is the best in providing the SSL Certificates. What are SSL Certificates and how it can be integarted. Early responses are appreciated.

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: Raj-GTPosted on 2009-06-02 at 08:58:48ID: 24528267

I am not aware of any Windows Utilities, but if you have a Linux machine in the network you can use this link to create your orn SSL Checker - http://prefetch.net/articles/checkcertificate.html

If you want a more hands-off approach , you can use the online SSL Checker at http://www.sslshopper.com/ssl-checker.html - to check your certs and send you a reminder when they are about to expire.

Hope this helps.

 

by: ParanormasticPosted on 2009-06-02 at 09:20:59ID: 24528524

 

by: ParanormasticPosted on 2009-06-02 at 09:31:26ID: 24528648

A couple other methods I would recommend:
1) Outlook calendar notifications - when you install a cert, determine the expiration date and set a reminder accordingly.  Include servername, serial number of the cert, and any specific notes as applicable for a reminder.

2) Open the CA MMC and filter by expiration date for the upcoming month.  You can then export those to .csv file to use in excel.  You can also filter by template if you have a lot of autoenrollment stuff - to determine the template OID to search for (searching for the name usually doesn't work so well except in a few default templates) - open Certificate Templates MMC - open properties of the template - Extensions tab - select Certificate Template Information, then in the box below look for the big number after Object Identifier - you can highlight and ctl+c to copy (can't right click) and then paste that whole number for the certificate template name in the CA MMC - Issued Certificates filter.  Note that a few of the default tmepaltes won't have a number but an actual name, such as Basic EFS is "EFS".

Also note that for most autoenrollments they should go through pretty smooth, but DC certs will need to have the DC reboot after to start using it.  By default this will renew 6 weeks ahead of time for an annual cert - if your DC doesn't get rebooted at least monthly you might want to add Domain Controllers (if issued), Domain Controller Authentication, and Directory Email Replication templates to your filter.  If you reboot monthly anyways don't worry about it (e.g. after monthly patches).

 

by: Stoner79Posted on 2009-06-03 at 01:36:27ID: 24534285

Thanks for the posts so far.

Just a quick update, we do not have a Linux box on the network and the servers are restricted to the Internet so I cannot use the methods by Raj-GT.

The script from Paranormastic looks like what I need so I will try to get this implemented in a test environment this week and move it into our Production environment next week.  The other options are not reliable enough for my liking due to a higher risk of human error.

I'll let you know when I've updated the test and post for any help then :)

 

by: Stoner79Posted on 2009-06-03 at 04:37:05ID: 24535252

I managed to test the script and it doesn't quite do what I had hoped.

It can pull the data from the CA's Certificate, but not the issued Certificates which are the ones I'm needing to manage.

It also cannot obtain the certificate expiry date for the CA and returns an event id of 100 against source CA Operations. Error: Could not determine expiry dates for CRL for CA......

Close but not quite there.  I am going to have a look at the CAPICOM scripts as well to see if there is anything there.

 

by: Raj-GTPosted on 2009-06-03 at 05:46:56ID: 24535791

 

by: ParanormasticPosted on 2009-06-03 at 12:13:48ID: 24540093

were you running the script on the CA or on a server (or both)? the script should check what certs are in the local store - if you run on the CA then it will only check the CA's store, not the CA database.  this would be a script to run on all your servers that you use certs on.

Another possibility, albeit a bit more spendy, is to get a Certificate Management System (CMS).  There aren't too many out there - most are rebranded products from a couple core companies.  Microsoft ILM2 is one product you might look at - if you can find older versions of CLM that was the piece that did it, but is now part of ILM2.  Last I know ILM2 wasn't released yet but I think it was supposed to be out soon, I just haven't checked in a few months.  The beta was pretty solid though.  I think it was supposed to be about 15k though, so depending if you feel that is worth it or not...  Like I said, there aren't really any inexpensive ones that I know of... the development level is just way to high and takes years to develop.  But, they are very cool.

 

by: ParanormasticPosted on 2009-06-03 at 12:20:20ID: 24540159

The script I offered would be similar to the product that Raj-GT suggested - only that has a GUI.  Looks okay for the price since it would come with other monitors too.  Again this would be distributed solution across all the cert using servers.

The CMS is a centralized server based solution - typically you request the cert (and smartcard if you use them) through the CMS using a workflow, then it tracks it for you and issues notifications, handles renewals, revocations, etc. in a nice pretty gui.

 

by: Stoner79Posted on 2009-06-04 at 01:56:39ID: 24544747

Thanks again for the input, yes I was running the script on the CA Server but agreed I can only see the CA Store not the CA Database which is what I had hoped for.

I think I will have to look at running the script on each IIS server and take it from there.

Thanks for the suggestions.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...