search

rafabu / SCOM-PKICertificateMP

This is for SCOM - System Center Operations Manager: The PKI Certificate Verification MP discovers PKI Certificates and Certificate Revocation Lists inside computers’ local certificate stores. It helps preventing service interruptions caused by invalid certificates by alerting when
GNU Lesser General Public License v3.0
20 stars 11 forks source link

Block certificates from being discovered #24

Open VMorrison101 opened 4 years ago

VMorrison101 commented 4 years ago

Is there a way to block certificates from being discovered? I've created a dynamic group/overrides to handle this but the issue we running into is with hybrid azure ad join/registration devices certificates. They are short term certificates that expire within 24 hours and due to the group recalculations are triggering alerts.

beloken commented 4 years ago

We use a regex to override the 'Issuer Filter - Exclude' parameter. This override is located on the 'Discovery of local computer's certificate store "My / Personal" (registry)' object discovery. This regex works for the two kinds of certs that MS issues with 24 hours validity: .*CN=MS-Organization((-)|(-P2P-))Access.*

VMorrison101 commented 4 years ago

That was exactly what I was looking for. Thank you :)

BCornelissen commented 3 years ago

Hi Guys, We will look into adding a clarification or example in the documentation.

daveyboy75 commented 2 years ago

id like to confirm on the azure 24hr cert override myself as im interested in getting this into my mgmt groups. essentially, for the "Discovery of local computer's certificate store "My / Personal" (registry)", the default value of "^$" for the parameter "Issuer Filter - Exclude (RegEx)" we just need to apply the following override value: .CN=MS-Organization((-)|(-P2P-))Access.

??

VMorrison101 commented 2 years ago

Based on the reply from Beloken, I added this: CN=MS-Organization((-)|(-P2P-))Access

daveyboy75 commented 2 years ago

outstanding! much appreciated @VMorrison101