PKI - Certificate expiration notifications

[DJH]

Hey,

I'm currently getting up to speed on our internal PKI implementation. We use
an enterprise PKI with an offline root.

We have distributed our Root certificate via a GPO so that all
desktops/servers recieve the root certificate. We have also enabled auto
enrollment via group policy.

For the IIS web servers we have, they are able to renew their certificates
if the computer account is a member of a particular group and assuming the
cert hasnt been revoked etc. (We still need to test this as we only recently
implemented the PKI)

For any non windows webservers, the admin will request a cert in base 64
format and send us the output, which we then submit to
http://servename/certsrv and then send them back the .cer file (as well as
the root certificates if they arent already on the box).

These SSL certificates have a validity of 12 months. Currently the only way
to determine if a certificate is about to expire is by manually checking the
expiration dates of all the certs. I've been trying to find a
plugin/addon/app which can send the CA admins an email when certificates are
about to expire but the only product I can find is ILM-CM. Now it looks like
a good product and has some handy features, but seems like overkill when we
just want a notification service.

Are there any other apps out there which can bolt onto MS PKI to alert when
certificates expire? Any other methods out there?

 

[Brian Komar]

This is possible through Identity Lifecycle Manager 2007. ILM 2007 keeps
track of all certificates in its own SQL database.
You can configure the Renew policy to send the original requester an email
message when the Web server certificate enters its renewal period. This is
based on the renewal interval defined in the certificate template (the
default is 6 weeks before expiration for a 1 year certificate)

I guess you could use iCertAdmin to query the CA database to do something
similar
Brian

"DJH" <DJH@discussions.microsoft.com> wrote in message
news:845C86C9-CA45-4511-93CE-48E6830CD60A@microsoft.com...
> Hey,
>
> I'm currently getting up to speed on our internal PKI implementation. We
> use
> an enterprise PKI with an offline root.
>
> We have distributed our Root certificate via a GPO so that all
> desktops/servers recieve the root certificate. We have also enabled auto
> enrollment via group policy.
>
> For the IIS web servers we have, they are able to renew their certificates
> if the computer account is a member of a particular group and assuming the
> cert hasnt been revoked etc. (We still need to test this as we only
> recently
> implemented the PKI)
>
> For any non windows webservers, the admin will request a cert in base 64
> format and send us the output, which we then submit to
> http://servename/certsrv and then send them back the .cer file (as well as
> the root certificates if they arent already on the box).
>
> These SSL certificates have a validity of 12 months. Currently the only
> way
> to determine if a certificate is about to expire is by manually checking
> the
> expiration dates of all the certs. I've been trying to find a
> plugin/addon/app which can send the CA admins an email when certificates
> are
> about to expire but the only product I can find is ILM-CM. Now it looks
> like
> a good product and has some handy features, but seems like overkill when
> we
> just want a notification service.
>
> Are there any other apps out there which can bolt onto MS PKI to alert
> when
> certificates expire? Any other methods out there?
>
>

 

[DJH]

thanks for the response!

ILM seems like overkill for what we need it for.. hopefully one of the
scripting guys here can look at iCertAdmin.

I found a linux script to check for PEM Encoded X.509 certificates here:
http://prefetch.net/articles/checkcertificate.html

But we need to be checking other types of certs

thanks

"Brian Komar" wrote:

> This is possible through Identity Lifecycle Manager 2007. ILM 2007 keeps
> track of all certificates in its own SQL database.
> You can configure the Renew policy to send the original requester an email
> message when the Web server certificate enters its renewal period. This is
> based on the renewal interval defined in the certificate template (the
> default is 6 weeks before expiration for a 1 year certificate)
>
> I guess you could use iCertAdmin to query the CA database to do something
> similar
> Brian
>
> "DJH" <DJH@discussions.microsoft.com> wrote in message
> news:845C86C9-CA45-4511-93CE-48E6830CD60A@microsoft.com...
> > Hey,
> >
> > I'm currently getting up to speed on our internal PKI implementation. We
> > use
> > an enterprise PKI with an offline root.
> >
> > We have distributed our Root certificate via a GPO so that all
> > desktops/servers recieve the root certificate. We have also enabled auto
> > enrollment via group policy.
> >
> > For the IIS web servers we have, they are able to renew their certificates
> > if the computer account is a member of a particular group and assuming the
> > cert hasnt been revoked etc. (We still need to test this as we only
> > recently
> > implemented the PKI)
> >
> > For any non windows webservers, the admin will request a cert in base 64
> > format and send us the output, which we then submit to
> > http://servename/certsrv and then send them back the .cer file (as well as
> > the root certificates if they arent already on the box).
> >
> > These SSL certificates have a validity of 12 months. Currently the only
> > way
> > to determine if a certificate is about to expire is by manually checking
> > the
> > expiration dates of all the certs. I've been trying to find a
> > plugin/addon/app which can send the CA admins an email when certificates
> > are
> > about to expire but the only product I can find is ILM-CM. Now it looks
> > like
> > a good product and has some handy features, but seems like overkill when
> > we
> > just want a notification service.
> >
> > Are there any other apps out there which can bolt onto MS PKI to alert
> > when
> > certificates expire? Any other methods out there?
> >
> >
>