PKI Certificate Monitoring through SCOM
Few weeks back I got a request from our Lync Application team wherein they were getting bulk Certificate expiration alerts for their Lync Application modalities 45 days before the Certificate expiry date.
They wanted to reduce the Certificate expiry threshold from 45 days to 30 days. Also, they asked to check if the alert count can be reduced.
I checked the Lync 2013 Management Pack and found it has lot of Rules which are reading the Event IDs for different Lync modalities Certificate expiration under Lync Events and generating Certificate expiration alerts for all those Lync Application modalities 45 days before the Certificate Expiry.
I also checked the application Certificate location and it was present under Personal Folder.
I decided to monitor Certificates under Personal Folder with below conditions:
1: Send a Warning alert 30 days before the Certificate expiration date with High priority.
2: Send a Critical alert when Certificate expires.
System Center Central team has provided a wonderful Management Pack which can monitor PKI Certificates.
The Management Pack can be downloaded from here: DOWNLOAD
You can get more information regarding the Management Pack here: PKI Certificate Verification Management Pack for SCOM 2012
So, you download the Management Pack, what’s next?
Let’s import and configure the Management Pack so we may start the Certificate monitoring.
1: Open SCOM Console and click on Administration.
2: Right click Management Packs and select Import Management Packs option.
3: Click on Add button and select the SystemCenterCentral.Utilities.Certificates.mpb file.
4: Click on Import button to start the import.
For general instruction about importing a management pack, refer How to Import an Operations Manager Management Pack
After successful Management Pack import, the Management Pack should reflect under Management Packs with name PKI Certificate Validation V2.
Discovery of Certificate stores is disabled by default. So, we need to enable the Discovery of local computer’s certificate store “My / Personal” (registry) to start the monitoring.
1: In the Authoring Pane, expand Management Pack Objects and click Object Discoveries.
2: On Operations Manager toolbar, click Scope and look for Certificate Store to include only Certificate Store objects.
3: Click OK to continue.
4: Right click Discovery of local computer’s certificate store “My / Personal” (registry) Certificate Store.
5: Click Overrides, click Override the Object Discovery and then click For a specific object of class: Health Service.
Note: You can enable this certificate Store for a Group or all the monitored objects as well by selecting the For a group or For all objects of class: Health Service option.
6: Search for the specific server for which monitoring needs to be enabled.
7: Click OK to continue.
8: Set the Override Value to True.
9: Under Management Pack, click New to create an unsealed version of the Management Pack, and then click OK, or select an unsealed Management Pack that you previously created in which to save this override.
As a best practice, you should not save overrides to the Default Management Pack.
10: Click OK to save the changes.
After altering the override setting, the Certificate store will be automatically discovered and will appear in the Monitoring pane under Certificate Stores Availability.
Discovery may take few minutes to complete.
Now since the discovery is complete and we are getting alerts for the Certificate expiration as per the default threshold, it’s time to change the threshold values so we may get the alerts 30 days before Certificate expiration with High priority.
1: In the Authoring Pane, expand Management Pack Objects and click Monitors.
2: On Operations Manager toolbar, click Scope and look for Certificate to include only Certificate objects.
3: Look for Certificate Lifespan monitor.
4: Right click Certificate Lifespan monitor, click Overrides and click Override the Monitor.
5: Select For all objects of class: Certificate.
Note: You can apply this override for a Group of servers or a specific object as well by selecting the For a group or For a specific object of class: Certificate option.
6: Change Alert Priority parameter value to High.
7: Change Lifetime Threshold (days) from 21 to 30 days.
8: Click OK to save the changes.
Now, next time when you receive the Certificate expiration alert, it will be 30 days before the Certificate expiration and with High priority.
The Management Pack has below limitations:
1: It doesn’t support Agentless monitoring.
2: Operating System should have PowerShell 2.0 / .net 2.0 installed.
Please go through the Management Pack Guide thoroughly before importing the Management Pack.