We help IT Professionals succeed at work.

Expiring certificates on all domain joined servers

Eddie Muhic
Eddie Muhic used Ask the Experts™
on
How to identify and track all Certificates on domain servers? What are best practices? Are there third party tools out there?

- I have CA Authority Server on my network domain.

- I consolidated my public Certificates with GoDaddy.

There are some powershell scripts which list all expiring certificates on domain joined servers as for example:

Invoke-Command -ComputerName (get-adcomputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=Windows Server*)(!serviceprincipalname=*MSClusterVirtualServer*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -Property name | sort-object Name).Name -Command {
   get-childitem cert:LocalMachine\My -recurse | where-object {$_.NotAfter -gt (get-date)} | select Subject,FriendlyName,Thumbprint,@{Name="Expires in (Days)";Expression={($_.NotAfter).subtract([DateTime]::Now).days}} | where "Expires in (Days)" -lt 90  
  }


But I wonder if there is something better out there? How to go about reminders? It would be nice to have some tool.

Please let me know what do you think and recommend?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Tracking certs generated by Registrars is very difficult.

You'll require the Registrar have an API (that actually works consistently), then write related code to interact with the API.

Or... far more simple... use https://LetsEncrypt.org generated certs, which you generate once using the certbot-auto client, then run certbot-auto renew each night at midnight to renew all your certs automagically.

The certbot-auto client also has a hook to run commands anytime a cert renews, so you can automagically ingest any changed certs into Web servers, Mail servers, any where a cert is used.

Note: If you have many certs... and you require hands free... forever... auto-renewals... LetsEncrypt provides a good choice.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
https://www.experts-exchange.com/questions/29164536/SSL-Solution-for-Multi-Domain-Multi-Host.html provides an example generating a script + running auto renewals which restart Apache anytime a cert renews.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Nagios modules have a certificate checker that can test the certificate exposed on  SSL based links like https:,  pops, imaps, ...  or even TLS.

https://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_certificate/details
Thank you all for your help.

This is PowerShell script I am using to scan all Windows Servers for Certificates:


Invoke-Command -ComputerName (get-adcomputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=Windows Server*)(!serviceprincipalname=*MSClusterVirtualServer*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -Property name | sort-object Name).Name -Command {
   get-childitem cert:LocalMachine\My -recurse | where-object {$_.NotAfter -gt (get-date)} | select Subject,FriendlyName,Thumbprint,@{Name="Expires in (Days)";Expression={($_.NotAfter).subtract([DateTime]::Now).days}} | where "Expires in (Days)" -lt 90  
  }


Kudos to: http://www.isolation.se/list-all-expiring-certificates-on-all-domain-joined-servers/