check Windows certificates health

Description

Check installed certificates in Windows store using powershell through NRPE / nsclient++: -My store (machine) -Root store -CA store -Auth store -SharePoint store You can specify number of days before expiring, and threshold for warning / critical All known already expired certificate in store, provided by Microsoft on all Windows Server 2003 / 2008 / 2012 are ignored

Project Details

Current Version

0.1

Last Release Date

2013-05-04

Owner

Mathieu Chateau

Website

http://www.lotp.fr

License

GPL

Compatible With

Nagios 3.x

Project Files

File	Description
lotp_check_certificates.ps1_-2.txt

Project Notes

Check installed certificates in Windows store using powershell through NRPE / nsclient++:

-My store (machine)
-Root store
-CA store
-Auth store
-SharePoint store

You can specify number of days before expiring, and threshold for warning / critical

All known already expired certificate in store, provided by Microsoft on all Windows Server 2003 / 2008 / 2012 are ignored

###############################################
Tested Setup:

Monitoring Box:
-Centos 6.4 x64
-Nagios 3.4.4
-check_nrpe 2.13
-Centreon 2.4.2
-nsclient++ 0.4.1 x64 & x86
-Windows Server 2003 / 2008 R2 / 2012
-tested on both Core & GUI Servers

###############################################
Scripts arguments
The script accept eight arguments:
-checkMyStore (true by default)
-checkRootStore (true by default)
-checkCAStore (true by default)
-checkAuthRootStore (true by default)
-checkSharePointStore (true by default)
-expireInDays (60 by default)
-maxWarn (Warning if above)
-maxCrit (Critical if above)

###############################################
Local execution example:

PS C:Program FilesNSClient++scripts> . .lotp_check_certificates.ps1 $true $true $true $true $true 60 0 0
CRITICAL: *.mydomain.net:2013/06/05
PS C:Program FilesNSClient++scripts>

NRPE execution:
[root~]# /usr/lib64/nagios/plugins/check_nrpe -H myserver -n -c check_certificate -a $true $true $true $true $true 60 0 0
CRITICAL: *.mydomain.net:2013/06/05
[root~]#

###############################################
Installation:
On Windows Servers:
-copy script in folder C:Program FilesNSClient++scripts
-enable powershell script execution without signed : Set-ExecutionPolicy RemoteSigned
-Add to nsclient.ini:
[/settings/external scripts/wrapped scripts]
check_certificate=lotp_check_certificate.ps1 $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$

###############################################
Configuration:

For example, on Centreon:
-Add a new command:
$USER1$/check_nrpe -H $HOSTADDRESS$ -t 60 -n -c check_certificate -a $ARG1$ $ARG2$ $ARG3$ $ARG4$ $ARG5$ $ARG6$ $ARG7$ $ARG8$

Then add monitoring filling the ARGS. (using $$true and $false to escape correctly).

User Reviews (1)

March 31, 2014

-maxWarn -maxCrit not useful for my use

by: FlynJets

The -maxWarn & -maxCrit parameters aren't described well in my opinion. They are the number of certs that are expired or will expire. so -maxWarn 1 -maxCrit 2 will give you a warning if 1 cert will expire or a critical if 2 or more certs are expiring.

I'm more interested in setting the number of days ahead of expiration for my warning and critical alerts.

Add a Review

You must be logged in to submit a review.