Partager via

Notify users of cert expiration...

  • Article

A recent mail thread was asking about querying for cert about to expire and notifying the users of this.

You could do it a few ways.. Run some kind of svc\logon script etc.. on the clients - which tracked the stores and cert data. Query the CA DB directly for certs about to expire.

I thought it’d be easiest to get the information directly from the CA. You can use the ICertView2 interface ---- specifically, EnumCertViewColumn.

You can obtain the DB schema info via “certutil –view” then play with the GetColumnIndex call below…

I ended up with something like this - - its not quite finished as you can see, error checks and mail function - but thats easy enough. The less documented part is already done and you can build off of that.

 

have fun!

 

spatdsg

 

Const CV_OUT_BASE64 = &H1

 

'THIS IS THE <Machinename>\CAName
CAName = "MyMachine\SpatCA" '=======>> CHANGE THIS TO THE CORRECT MACHINE\CA==

 

'create the CAView object
set oCAView = CreateObject("CertificateAuthority.View.1")

 

'open the connection to the Machine\CA
oCAView.OpenConnection (CAName)

 

'retrieve specific columns from DB
oCAView.SetResultColumnCount(3)
Index0 = oCAView.GetColumnIndex(False, "CommonName")
Index1 = oCAView.GetColumnIndex(False, "Email")

Index2 = oCAView.GetColumnIndex(False, "NotAfter")

 

oCAView.SetResultColumn (Index0)
oCAView.SetResultColumn (Index1)

oCAView.SetResultColumn (Index2)

 

 

'open the view

Set RowObj= oCAView.OpenView

 

 

 

Do Until RowObj.Next = -1

 

   Set ColObj = RowObj.EnumCertViewColumn()

Do Until ColObj.Next = -1

                 wscript.echo ColObj.GetValue(CV_OUT_BASE64) & vbcrlf
'insert logic for checking date to

   'current and if near\past send mail.

   'see https://www.paulsadowski.com/WSH/cdo.htm

   'for a number of examples of mail send info

   'Obviously you may want to use the cert email

   'attribute to send the mail

         Loop

  Set ColObj = Nothing

 

Loop

Comments

  • Anonymous
    March 13, 2009
    Hey, How would you connect to the MS 2003 Cert server in PowerShell?

  • Anonymous
    March 13, 2009
    The comment has been removed

  • Anonymous
    June 29, 2009
    Thanks for this great script !

  • Anonymous
    September 20, 2010
    Would you have something that runs client side, independent of any connection to a CA? Or can you point me? Thank you.