Notify users of cert expiration…


A recent mail thread was asking about querying for cert about to expire and notifying the users of this.


 


You could do it a few ways.. Run some kind of svc\logon script etc..  on the clients – which tracked the stores and cert data. Query the CA DB directly for certs about to expire.


 


I thought it’d be easiest to get the information directly from the CA. You can use the  ICertView2 interface —- specifically, EnumCertViewColumn.


 


You can obtain the DB  schema info via “certutil –view” then play with the GetColumnIndex call below…


 


I ended up with something like this – – its not quite finished as you can see, error checks and mail function – but thats easy enough. The less documented part is already done and you can build off of that.


 


have fun!


 


spatdsg


 


 


Const CV_OUT_BASE64 = &H1


 


‘THIS IS THE <Machinename>\CAName
CAName = “MyMachine\SpatCA”     ‘=======>> CHANGE THIS TO THE CORRECT MACHINE\CA==


 



‘create the CAView object
set oCAView = CreateObject(“CertificateAuthority.View.1”)


 



‘open the connection to the Machine\CA
oCAView.OpenConnection (CAName)


 


‘retrieve specific columns from DB
oCAView.SetResultColumnCount(3)
Index0 = oCAView.GetColumnIndex(False, “CommonName”)
Index1 = oCAView.GetColumnIndex(False, “Email”)


Index2 = oCAView.GetColumnIndex(False, “NotAfter”)


 



oCAView.SetResultColumn (Index0)
oCAView.SetResultColumn (Index1)


oCAView.SetResultColumn (Index2)


 


 


‘open the view


Set RowObj= oCAView.OpenView


 


 


 



Do Until RowObj.Next = -1


 


   Set ColObj = RowObj.EnumCertViewColumn()



         Do Until ColObj.Next = -1


                 wscript.echo  ColObj.GetValue(CV_OUT_BASE64) & vbcrlf
                ‘insert logic for checking date to


   ‘current and if near\past send mail.


   ‘see http://www.paulsadowski.com/WSH/cdo.htm


   ‘for a number of examples of mail send info


   ‘Obviously you may want to use the cert email


   ‘attribute to send the mail


         Loop
          


  Set ColObj = Nothing


 


Loop


 


 


 

 

Comments (4)

  1. Nick says:

    Hey,

    How would you connect to the MS 2003 Cert server in PowerShell?

  2. SpatDSG says:

    Not being a PS guy– I am not sure of that one.  Can you IcertView from C#? If so cant PS call it as well?

    This may be a start:

    http://www.winserverkb.com/Uwe/Forum.aspx/windows-cryptography/243/Read-certificates-in-CA-from-NET

  3. Sam says:

    Thanks for this great script !

  4. PT says:

    Would you have something that runs client side, independent of any connection to a CA? Or can you point me? Thank you.

Skip to main content