Eddie Muhic
asked on
Expiring certificates on all domain joined servers
How to identify and track all Certificates on domain servers? What are best practices? Are there third party tools out there?
- I have CA Authority Server on my network domain.
- I consolidated my public Certificates with GoDaddy.
There are some powershell scripts which list all expiring certificates on domain joined servers as for example:
Invoke-Command -ComputerName (get-adcomputer -LDAPFilter "(&(objectCategory=compute r)(operati ngSystem=W indows Server*)(!serviceprincipal name=*MSCl usterVirtu alServer*) (!(userAcc ountContro l:1.2.840. 113556.1.4 .803:=2))) " -Property name | sort-object Name).Name -Command {
get-childitem cert:LocalMachine\My -recurse | where-object {$_.NotAfter -gt (get-date)} | select Subject,FriendlyName,Thumb print,@{Na me="Expire s in (Days)";Expression={($_.No tAfter).su btract([Da teTime]::N ow).days}} | where "Expires in (Days)" -lt 90
}
But I wonder if there is something better out there? How to go about reminders? It would be nice to have some tool.
Please let me know what do you think and recommend?
- I have CA Authority Server on my network domain.
- I consolidated my public Certificates with GoDaddy.
There are some powershell scripts which list all expiring certificates on domain joined servers as for example:
Invoke-Command -ComputerName (get-adcomputer -LDAPFilter "(&(objectCategory=compute
get-childitem cert:LocalMachine\My -recurse | where-object {$_.NotAfter -gt (get-date)} | select Subject,FriendlyName,Thumb
}
But I wonder if there is something better out there? How to go about reminders? It would be nice to have some tool.
Please let me know what do you think and recommend?
https://www.experts-exchange.com/questions/29164536/SSL-Solution-for-Multi-Domain-Multi-Host.html provides an example generating a script + running auto renewals which restart Apache anytime a cert renews.
Nagios modules have a certificate checker that can test the certificate exposed on SSL based links like https:, pops, imaps, ... or even TLS.
https://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_certificate/details
https://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_certificate/details
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You'll require the Registrar have an API (that actually works consistently), then write related code to interact with the API.
Or... far more simple... use https://LetsEncrypt.org generated certs, which you generate once using the certbot-auto client, then run certbot-auto renew each night at midnight to renew all your certs automagically.
The certbot-auto client also has a hook to run commands anytime a cert renews, so you can automagically ingest any changed certs into Web servers, Mail servers, any where a cert is used.
Note: If you have many certs... and you require hands free... forever... auto-renewals... LetsEncrypt provides a good choice.