Question:

Can I get alerted about expiring certificates in EventSentry?

Article ID: 339
Category: Monitoring
Applies to: 3.1 and higher
Updated: 2018-11-07

Answer:

You can utilize a short PowerShell script to get a list of all certificates that expire within a certain number of days. This script can then be executed on a regular basis (usually daily) and trigger an (email) alert if one or more expired certificates are found.

The script is shown below:

sl cert:
$MaxDays = 30
Get-ChildItem -Recurse | where { $_.notafter -le (get-date).AddDays($MaxDays) -AND $_.notafter -gt (get-date)} | select NotAfter, subject, Issuer | Format-List

where the $MaxDays variable indicates the number of days a certificate has left before it is expired. Output from the script when run through the application scheduler will look similar to this:

powershell.exe -inputformat none -file "%SYSTEMROOT%\SYSTEM32\eventsentry\scripts\expiring_certs.ps1" was run for 3 seconds with the result shown below. Return Code was 0.

NotAfter : 7/26/2017 2:40:53 PM
Subject : CN=TEST02K8R2.test.local
Issuer : CN=TEST02K8R2.test.local

Follow the steps below to configure this in EventSentry:

  1. Add an embedded script (Tools->Embedded Scripts) with the name expiring_certs.ps1 as a new script. Specify the code above for the conent
  2. Select the PowerShell interpreter from the list of available interpreters
  3. Create a new System Health package (assign it accordingly or make it global) and add an Application Scheduler object to it
  4. Decide on a schedule for the script and select @expiring_certs.ps1 for the script name.
  5. Setup a filter (shown below) which will look for the 10200 information event logged by EventSentry with the content filter *expiring_certs.ps1*NotAfter*. If no certificates are set to expire, the string NotAfter will not be part of the event.

If you haven't already done so, set the proper PowerShell execution policy on the system where the script will be executed, since running PowerShell scripts is disabled by default. The execution policy needs to be either set to "RemoteSigned" (recommended) or "Unrestricted". To set the execution policy, open an elevated PowerShell command prompt and run:

Set-ExecutionPolicy RemoteSigned