search

rafabu / SCOM-PKICertificateMP

This is for SCOM - System Center Operations Manager: The PKI Certificate Verification MP discovers PKI Certificates and Certificate Revocation Lists inside computers’ local certificate stores. It helps preventing service interruptions caused by invalid certificates by alerting when
GNU Lesser General Public License v3.0
20 stars 11 forks source link

MP Alerting on certs that have expired years ago. #18

Closed muradakram closed 3 years ago

muradakram commented 4 years ago

I can't seem to find a way to only alert when/if cert expiration date is 30 or 90 days away. And I can't seem to find a way to create an override to disable alerts on certs that have been expired many many years ago.

Here is an example alert, regarding a cert that was expired on (expired on 07/15/2014 23:59:59 UTC).

Date and Time: | 12/9/2019 10:37:19 AM Property Name | Property Value InstanceType | Certificate UserContext | NT AUTHORITY\SYSTEM CertVersion | 3 CertSerial | 4191A15A3978DFCF496566381D4C75C2 CertSignatureAlgo | sha1RSA CertIssuedBy | OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US CertValidFrom | 07/16/2004 00:00:00 CertValidTo | 07/15/2014 23:59:59 CertIssuedTo | CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US CertPublicKey | RSA-PKCS1-KeyEx CertFriendlyName |   CertThumbprint | 197A4AEBDB25F0170079BB8C73CB2D655E0018A4 CertSAN | Directory Address:CN=Class3CA2048-1-43 CertIsCertificateAuthority | True CertIsSelfSigned | False CertPrivateKey | False CertDaysStillValid | -1972 CertLifeTimeMessage | has expired on 07/15/2014 23:59:59 UTC CertExpiresSoon | false CertStatus | IsVerified CertStatusIgnoreUntrustedRoot | IsVerified CertTimeStatus | NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. CertVerboseStatus |   CertVerboseTimeStatus | --- Certificate Status --- NotTimeValid: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. --- Chain Status Overview --- Level 0:OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US IsVerified CAVersion | n/a

Winkenbm commented 4 years ago

I would love such a solution too.

JiiPee-svg commented 4 years ago

Archive them

BCornelissen commented 3 years ago

This is the way the management pack was intended. An expired certificate is expired, no matter how long ago it expired. Expired certificates should be removed from a server. It is part of a clean-up most people forget to do.