Monitoring windows certificate expiration checks

marco · January 8, 2020, 10:34pm

I have a wndows server which consists of a certificate with a thumbprint. Now, I would like to monitor the validity of this certificate. Is this possible out of the box from Checkmk? Can Anyone point to me to some documentation how to achieve this?

At the moment, I am monitoring the certificate expiration on the linux hosts using the check_http plugin.

cjcox · January 9, 2020, 12:00am

Sort of old, but the old style Window Logs will output something like:

WARN - 1 WARN messages (Last worst: Jul 16 01:27:01 32768.64 AutoEnrollment local system)
(that’s actually how CheckMK reports it, just fyi)

a month before a cert in its store is going to expire. Doesn’t tell you what cert, but CheckMK will at least see this in the Log Application for any Windows host that has an expiring cert.

We actually have separate tool that shows us our certs on the network, but I have thought about using CheckMK (apart from the less than obvious warning message above you’ll get by default).

MightyDinosaurus · January 9, 2020, 5:19am

Thats also the choice for windows, as from the http client the server os does not matter.

r.sander · January 9, 2020, 8:19am

We have an agent plugin that scans the Windows cert store and outputs certificate information. For every certificate one service check is created.

JPH · January 10, 2020, 1:52pm

Hello Robert

thanks for charing the MKP.
Is the MKP also implemented in the CMK Master for all of us users in the next coming CMK versions?

And is there as well an Unix solution to scan all the available certificates?

This would be great!

Thanks

Best regards

marco · January 10, 2020, 3:42pm

Thanks for your input.
I tried this initially and got a “CRITICAL - Cannot make SSL connection” error becuase we do not have the client certificate on the monitoring server. So this option is out.

marco · January 10, 2020, 3:44pm

Thanks for the input. I also need the certificate subject and the expiry date/time to be displayed every time on the service check. I think but I am not sure if this is possible with event log.

marco · January 10, 2020, 3:50pm

Hi Robert,

Thanks for the link to the GitHub repo. I went through your code. My requirement is to give an option to the user to specify the Certificate Path on the command line, like a particular thumbprint or he can choose any path he wants. I managed to add the functionality to provide the command line argument on the agent side plugin and it works fine. Now the question is, How to call this plugin with arguments under the local folder?

Like
PS C:\Program Files (x86)\check_mk\local>.\test_cert1.ps1 -CertificatePath "Cert:\CurrentUser\*\C0D4xxxxxxxxxxxxxxxxxxxxxxxxxxxx" -w 30 -c 60

r.sander · January 10, 2020, 4:45pm

You cannot pass commandline arguments to an agent plugin or local check.

You can pass commandline arguments to Nagios plugins called via MRPE from the agent.

https://checkmk.com/cms_agent_windows.html#Executing%20plug-ins%20via%20MRPE

marco · January 14, 2020, 3:50pm

I did tried your suggestion and it works as expected. Thanks for your help.

r.sander · January 16, 2020, 8:47am

The MKPs available in our repo are support on a best effort base.

In this particular sslcertficates MKP there is also an agent plugin for Linux available. This needs a configuration file with a list of directories to search for certificates.

keren · September 11, 2022, 2:23pm

Hi Robert,
I’m trying to define the path for win SSL certificate store server( in order to get an alert when a new ca created on this server), the problem is that according to the rule i cannot add a win path- only a Linux one, any suggestions?
do i need to do it by MRPE service?

r.sander · September 12, 2022, 5:46am

I have no know-how on the Windows operating system. The Windows Powershell agent plugin is a third party contribution. Have a look yourself if you can add the desired functionality there.

Currently it queries the builtin certificate store for server certificates, not CA certificates, as far as I know.

andreas-doehler · September 12, 2022, 6:53am

I can only say - on Windows you have no path to check. You can change the plugin script as @r.sander mentioned it. Inside the script you only need to modify the queried paths to your need.

What do you mean with this?

keren · September 12, 2022, 7:14am

Hi Andreas,
i already monitoring SSL certificate expiration date for each server that got a website certificate from the CA publisher. i’m trying to monitor the ca server itself, so once the server creates a new certificate i will get a warning- we are trying to track a new ca’s that we are publishing…

Opelin · October 17, 2023, 11:17am

Hi,
I’m not sure if topic is valid but here you have a part of the code which i wrote some time ago for cover similar thing. Hope i will help a bit someone:

##################################################################################################

VERSION: 1.3

CHANGES:

2022.09.19: 1.0 Initial pre-release version (test)

2022.10.25: 1.1 Implementation of blackout list

2022.10.26: 1.2 Extend functionality of blackout list

2022.10.28: 1.3 Add printing Excluded Certificates with status OK + few cosmetic output string

##################################################################################################

########################
#Thresholds declaration#
########################

Param(
[int]$critical = 10,
[int]$warning = 30
)

#########################
#All necessary variables#
#########################

$CERTDIR = “Cert:\LocalMachine\My”
$bReturnOK = $TRUE
$bReturnCritical = $FALSE
$bReturnWarning = $FALSE
$bReturnUnknown = $FALSE
$returnStateOK = 0
$returnStateWarning = 1
$returnStateCritical = 2
$returnStateUnknown = 3
$nWarning = $warning
$nCritical = $critical
$dtCurrent = Get-Date
$strCritical = “”
$strWarning = “”
$strUnknown = “Error in plugin - please check manually!”
$strOK = “All Personal Certificates are valid!”
$excludedCRT = “”

###########################
#Blackout list declaration#
###########################

$blackout=@(
“CN=MS-Organization-P2P-Access [2021]”,
“CN=MS-Organization-P2P-Access [2022]”,
“CN=MS-Organization-P2P-Access [2023]”,
“CN=MS-Organization-P2P-Access [2024]”,
“CN=MS-Organization-P2P-Access [2025]”,
“CN=MS-Organization-P2P-Access [2026]”,
“CN=MS-Organization-P2P-Access [2027]”,
“_NotMonitored”
)

############################################################
#Blackout list definition + collecting blacout Certificat #
############################################################

$exclude=Get-ChildItem -Path Cert:\LocalMachine\My -Recurse | ? {
($blackout -notcontains $.Issuer -and $blackout -notcontains $.FriendlyName -and $blackout -notcontains $_.SerialNumber)} | select SerialNumber
$excludedCRT=$exclude
[string]$excludedCRT=$exclude -replace’@{’
[string]$excludedCRT=$excludedCRT -replace’}‘,’,’
[string]$excludedCRT="Excluded Certificates from monitoring are: " + $excludedCRT

$objCertificates=Get-ChildItem -Path Cert:\LocalMachine\My -Recurse | ? {
($blackout -notcontains $.Issuer -and $blackout -notcontains $.FriendlyName -and $blackout -notcontains $_.SerialNumber)}

###################################################################################################################################
#Exit loop - exit from plugin with status OK if Personal certificate Store is Empty or is empty and handling excluded certificates#
###################################################################################################################################

if (-Not $objCertificates)
{
write-host 0 “Certificates” - “Personal Certificate Store is empty.”
exit $bReturnOK
}

#######################################
#Main loop Expiration Date calculation#
#######################################

foreach ($objCertificate in $objCertificates)
{
$dtRemain = $objCertificate.NotAfter - $dtCurrent
$nRemainDays = $dtRemain.Days

###################################################################################
#Sub loop for check criteria OK/Warning/Critical/UNKNOWN and feed output variables#
###################################################################################

if ($nRemainDays -lt 0)
{
$strCritical = $strCritical + $objCertificate.SubjectName.Name.ToString() + " EXPIRED! " + $objCertificate.NotAfter.ToString() + " "
$bReturnCritical = $TRUE

} Elseif ( $nRemainDays -lt $nCritical)
{
$strCritical = $strCritical + $objCertificate.SubjectName.Name.ToString() + " WILL EXPIRE: " + $objCertificate.NotAfter.ToString() + " "
$bReturnCritical = $TRUE

} Elseif ( $nRemainDays -lt $nWarning)
{
$strWarning = $strWarning + $objCertificate.SubjectName.Name.ToString() + " WILL EXPIRE: " + $objCertificate.NotAfter.ToString() + " "
$bReturnWarning = $TRUE

} Elseif ($nRemainDays -gt $nWarning -or $nRemainDays -gt $nCritical)
{
$strOK = $strOK
$bReturnOK = $TRUE
} Else
{
$strUnknown = $strUnknown
$returnStateUnknown = $TRUE

}

##############################################################################
#Print loop ServiceName, ReturnCode and Description output in check_mk format#
##############################################################################

if ($bReturnCritical)
{
write-host 2 “Certificates” - ($strCritical + $strWarning)
exit
}
elseif ($bReturnWarning)
{
write-host 1 “Certificates” - $strWarning
exit
}
elseif ($bReturnOK)
{
write-host 0 “Certificates” - $strOK $excludedCRT
exit
}
else
{
write-host 3 “Certificates” - $strUnknown
exit
}
}

###########
#Few hints#
###########

Put “write-host $objCertificates” in line 70 to check which certificates will be analyzed

By modifying line 69 you can change functionality of blackout list using format: “-and $blackout -notcontains $_.”

Thresholds are defined in days

You can extend fuctionality of that plugin by adding another loop. Example: check Certification from Stores like Root, CA, AuthRoot, SharePoint etc.

And here you have an example of implementation of it: