Monitoring windows certificate expiration checks

I have a wndows server which consists of a certificate with a thumbprint. Now, I would like to monitor the validity of this certificate. Is this possible out of the box from Checkmk? Can Anyone point to me to some documentation how to achieve this?

At the moment, I am monitoring the certificate expiration on the linux hosts using the check_http plugin.

Sort of old, but the old style Window Logs will output something like:

WARN - 1 WARN messages (Last worst: Jul 16 01:27:01 32768.64 AutoEnrollment local system)
(that’s actually how CheckMK reports it, just fyi)

a month before a cert in its store is going to expire. Doesn’t tell you what cert, but CheckMK will at least see this in the Log Application for any Windows host that has an expiring cert.

We actually have separate tool that shows us our certs on the network, but I have thought about using CheckMK (apart from the less than obvious warning message above you’ll get by default).

Thats also the choice for windows, as from the http client the server os does not matter.

1 Like

We have an agent plugin that scans the Windows cert store and outputs certificate information. For every certificate one service check is created.


Hello Robert

thanks for charing the MKP.
Is the MKP also implemented in the CMK Master for all of us users in the next coming CMK versions?

And is there as well an Unix solution to scan all the available certificates?

This would be great!


Best regards

Thanks for your input.
I tried this initially and got a “CRITICAL - Cannot make SSL connection” error becuase we do not have the client certificate on the monitoring server. So this option is out.

Thanks for the input. I also need the certificate subject and the expiry date/time to be displayed every time on the service check. I think but I am not sure if this is possible with event log.

Hi Robert,

Thanks for the link to the GitHub repo. I went through your code. My requirement is to give an option to the user to specify the Certificate Path on the command line, like a particular thumbprint or he can choose any path he wants. I managed to add the functionality to provide the command line argument on the agent side plugin and it works fine. Now the question is, How to call this plugin with arguments under the local folder?

PS C:\Program Files (x86)\check_mk\local>.\test_cert1.ps1 -CertificatePath "Cert:\CurrentUser\*\C0D4xxxxxxxxxxxxxxxxxxxxxxxxxxxx" -w 30 -c 60

You cannot pass commandline arguments to an agent plugin or local check.

You can pass commandline arguments to Nagios plugins called via MRPE from the agent.

1 Like

I did tried your suggestion and it works as expected. Thanks for your help.

The MKPs available in our repo are support on a best effort base.

In this particular sslcertficates MKP there is also an agent plugin for Linux available. This needs a configuration file with a list of directories to search for certificates.