Link to home
Start Free TrialLog in
Avatar of Eddie Muhic
Eddie MuhicFlag for United States of America

asked on

Expiring certificates on all domain joined servers

How to identify and track all Certificates on domain servers? What are best practices? Are there third party tools out there?

- I have CA Authority Server on my network domain.

- I consolidated my public Certificates with GoDaddy.

There are some powershell scripts which list all expiring certificates on domain joined servers as for example:

Invoke-Command -ComputerName (get-adcomputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=Windows Server*)(!serviceprincipalname=*MSClusterVirtualServer*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -Property name | sort-object Name).Name -Command {
   get-childitem cert:LocalMachine\My -recurse | where-object {$_.NotAfter -gt (get-date)} | select Subject,FriendlyName,Thumbprint,@{Name="Expires in (Days)";Expression={($_.NotAfter).subtract([DateTime]::Now).days}} | where "Expires in (Days)" -lt 90  
  }


But I wonder if there is something better out there? How to go about reminders? It would be nice to have some tool.

Please let me know what do you think and recommend?
Avatar of David Favor
David Favor
Flag of United States of America image
Tracking certs generated by Registrars is very difficult.

You'll require the Registrar have an API (that actually works consistently), then write related code to interact with the API.

Or... far more simple... use https://LetsEncrypt.org generated certs, which you generate once using the certbot-auto client, then run certbot-auto renew each night at midnight to renew all your certs automagically.

The certbot-auto client also has a hook to run commands anytime a cert renews, so you can automagically ingest any changed certs into Web servers, Mail servers, any where a cert is used.

Note: If you have many certs... and you require hands free... forever... auto-renewals... LetsEncrypt provides a good choice.
Avatar of David Favor
David Favor
Flag of United States of America image
https://www.experts-exchange.com/questions/29164536/SSL-Solution-for-Multi-Domain-Multi-Host.html provides an example generating a script + running auto renewals which restart Apache anytime a cert renews.
Avatar of noci
noci
Nagios modules have a certificate checker that can test the certificate exposed on  SSL based links like https:,  pops, imaps, ...  or even TLS.

https://exchange.nagios.org/directory/Plugins/Network-Protocols/HTTP/check_ssl_certificate/details
ASKER CERTIFIED SOLUTION
Avatar of Eddie Muhic
Eddie Muhic
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial