Today I want to give an answer to the question I often get at customers: “We want an overview of all certificates in our environment (on Windows Servers) that are expiring within X amount of days”.
This approach is based on this management pack: http://www.systemcentercentral.com/pack-catalog/pki-certificate-verification-mp/
The management pack discovers certificates on all servers (in specific stores if you will) and adds monitors to detect expiration, validity, etc. It also adds some views in the Monitoring pane of the SCOM console.
I wanted to provide a (daily) report to the customer to show them the list of certificates expiring within X amount of days. Therefore I created a custom group in SCOM where I put in all “critical” certificates with for example a specific CA. Afterwards I created a powershell script which uses the members of the group to create a report and mail it to the different stakeholders.
The report looks like this:
As you can see the report shows in a glance when certificates will expire and on what server they are located. As this is fully custom all layout, colours etc. can be set at will.
Mostly I choose to use red, orange and yellow to highlight the urgency in which the certificates need to be replaced.
Also keep in mind that after replacing the certificates in eg. IIS, they need to be deleted from the server(s) as well because they will keep on being discovered by SCOM if they stay on the server(s).
If you are interested in the script, please drop a comment below and I’ll be happy to assist.
Hope this helps!