Event ID for Certificates which are about to expire.

AhmedAliShaik
AhmedAliShaik used Ask the Experts™
on
Team,

Just want to know the event id of the SSL certificates which are about to expire.

So that I can write a powershell script and proactively monitor.



Do we have seperate event ids based on Application like Exchange or ...

Please share ur views.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ciprian LozonschiOps Team Office 365/Messaging
Commented:
I checked on our MOM server with Exchange Management Pack instaled for Exchange 2007 and there are some rules for it
I created xls file with 2 sheets:
Sheet1 - rules from MOM from Source: MSExchangeTransport
Sheet2 - export from MOM on a search for word certificate. You can easy find on TechNet more details about each event with a search after it's name
EventID.xls
Commented:
Would:
dir Cert: -Recurse |
    Where-Object {(-not $_.PSIsContainer) -and ($_.NotAfter - (get-Date)).TotalDays -lt 60}  |
    Select FriendlyName,Subject,NotAfter | Out-GridView

give you the information that you are after?

Author

Commented:
Hi Bchallis,

Could you please elaborate how to run this command.

Can we get the output of the command so that i can add mail function to this and send an alert regarding certificate expiry.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
You could put the code (cut and paste) in a text file called something like GetCerts.ps1 and run the file, or execute it as a single line in the powershell console.  dir is an alias for the cmdlet Get-ChildItem, so the full line could be:

Get-ChildItem Cert: -Recurse |
    Where-Object {(-not $_.PSIsContainer) -and ($_.NotAfter - (get-Date)).TotalDays -lt 60}  |
    Select FriendlyName,Subject,NotAfter | Out-File certs.txt

if you want to automate this you should put the code in the ps1 file.  Add second line:

send-mailmessage -from "User01 <user01@example.com>" -to "User02 <user02@example.com>" -subject "Certs" -body "Certificates due to expire in the next 60 days." -Attachments "certs.txt"

If you want to run scripts, though, it is important that the execution policy is set correctly.  Get-ExecutionPolicy will tell you what the policy is.  Anything other than restructed will allow scripts to be executed on the computer.

Author

Commented:
The scipt is really excellent and working perfectly.

I am trying to user other tools to generate the expiry report and really not aware exchange shell is so powerful to retrieve the same.

Last Question.
The shell scirpt is retriving inf of only one server.
Is there any way to identify all exchange 2003 and 2007 servers and display in csv format or can we give inout with all the servers list and run the report to get the cert exp details of all servers.

Author

Commented:
Hi Bchallis,

I am getiing all the certificates which has already expired including root,intermediate and local certificate.

Is there any way that i can sort the output to get only the local certificate which are going to expire or can i run the script with only "XXXX" friendly name and get the desired output.

Please advice me.
Ciprian LozonschiOps Team Office 365/Messaging

Commented:
Hi, you should use Get-ExchangeCertificate and filter based on your needes. Unfortunately this cmdlet is running only local
Commented:
If you want to set a range for the expiry of the certificates you could add
-and ($_.NotAfter - (get-Date)).TotalDays -ge 0}

to the test.  To work with multiple machines you can use PowerShell remoting.  This needs to be set up.  Here is a good reference (http://www.ravichaganti.com//blog/wp-content/uploads/2010/12/A%20layman's%20guide%20to%20PowerShell%202.0%20remoting-v2.pdf).  With this set up you can create a collection of server connections and use the Invoke-Command to execute the command on multiple servers at once.

Author

Commented:
Hi lciprianionut,

I tried using the Get-ExchangeCertificate for getting the local cert details but failed.
Is there any possibility to get the result based on friendly name.

If so can u share few examples.

The article provided by bchallis is good. It will take time for me to go through understand and follow.
i will try it by weekend. Meanwhile just out of curiosity wanna know the get-exchange certificate command because i am not sure whether i may get approvals to make changes in production environment as per the link.
Ops Team Office 365/Messaging
Commented:
In Exchange 2007, Get-ExchangeCertificate is working only localy
In Exchange 2010, Get-ExchangeCertificate has parameter Server and you can query more servers
This cmdlet will not make any changes it will only provide current status. For changes you need to user other *-ExchangeCertificate cmdlets from Exchange.

You can filter certificates based on FriendlyName
For Exchange 2007 and 2010 (you need to be on the server and run this)
Get-ExchangeCertificate | Where-Object {$_.FriendlyName -eq 'Microsoft Exchange'}

Open in new window

For Exchange 2010 (you can be on server or on a terminal server with Exchange 2010 tools installed)
Get-ExchangeCertificate -Server server1 | Where-Object {$_.FriendlyName -eq 'Microsoft Exchange'}
Get-ExchangeServer server* | ForEach-Object {Get-ExchangeCertificate -Server $_.name | Where-Object {$_.FriendlyName -eq 'Microsoft Exchange'}}

Open in new window

Author

Commented:
Thanks All.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial