Man, I wish I had a few of these certificates in my PKI infrastructure (portfolio)! Ever need to identify an expired certificate, and or delete the certificate? Depending on UAC, AppLocker, and other settings, the delete portion may require server logon.
Identify an expired certificate
Few ways to identify an expired certificate on servers.
Via RDP session to server
RDP to server, open MMC > Add Plug In > Certificates > for Computer
Via PowerShell
GCI Cert:\LocalMachine\*
The certificate store file path will vary the above command.
NOTE the SuperUser blog post will help decipher the folder name
Via ‘smart’ PowerShell across multiple machines
Courtesy of Vance Cozier!
“server1”,”server2″| % {invoke-command $_ -scriptblock {$env:ComputerName; GCI Cert:\LocalMachine\* }}
Via Monitoring for expired certificates
Using SCOM Certificate Monitoring or PKI monitoring management packs
Identify Expired certificates
Console navigation steps:
From SCOM console > Monitoring Tab
Expand PKI folder > Expand Certificates and CRLs folder
Click on ‘Certificates – Expired’ state view
Did you know
Run PowerShell commands from Holman’s SCOM Management pack (blog)- github download
Run PowerShell from Monitoring tool
From SCOM console > Monitoring Tab > SCOM Management folder > SCOM Agents
Highlight agent(s)
From Tasks Pane > click on ‘Execute any PowerShell’ task
On the pop-up window, click Override
Adjust timeout to 70 (seconds)
Override command line
Run the following commands (various Certificate store examples provided for removing expired certificates)
Personal Certificates folder
Get-ChildItem Cert:\LocalMachine\My | ? { (( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Issuer -like “*GlobalSign*” )) -and $_.NotAfter -lt (get-date) } | fl Subject,Issuer
Trusted Root folder
Get-ChildItem Cert:\LocalMachine\Root | ? { ( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Issuer -like “*GlobalSign*” ) } | fl Subject,Issuer
Third Party Root
Get-ChildItem Cert:\LocalMachine\AuthRoot | ? { (( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Issuer -like “*GlobalSign*” )) -and $_.NotAfter -lt (get-date) } | fl Subject,Issuer
Click OK button to close Overrides window
Click OK to run task
View task output
PS C:\Users\admin> Get-ChildItem Cert:\LocalMachine\Root | ? { ( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Issuer
like “*GlobalSign*” ) } | fl Subject,Issuer
Subject : CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Issuer : CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA – R2
Issuer : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA – R2
Once task completes, go back to the Certificates state view > highlight the certificate > Click the Rediscover Certificates task
Delete PKI certificates
After identifying correct certificate and folder in question that requires deletion:
- Verify backup of certificate
- Test delete via PowerShell window from SCOM
Get-ChildItem Cert:\LocalMachine\AuthRoot | ? { ( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Isser -like “*GlobalSign*” ) } | Remove-Item -DeleteKey
- Verify Task output shows certificate deleted
- Refresh MMC GUI > Certificates plug in, and folder to verify certificate deleted
- Go back to SCOM Console Monitoring Tab
- Expand PKI folder
- Expand Certificates and CRLs folder
- Click on Certificates – Expired state view
- In Tasks pane on right, click on Rediscover certificates task, Click OK to run
- Open Health Explorer and reset monitor to clear alert
Alternatively, leverage PowerShell reset logic on SCOM MS, use blog
Documentation
SCOM Certificate monitoring TechCommunity blog https://techcommunity.microsoft.com/t5/system-center-blog/scom-management-pack-for-certificate-monitoring/ba-p/3619299
Download SCOM Certificate monitoring pack https://www.microsoft.com/en-us/download/details.aspx?id=104858
Long-standing PKI certificate pack and blog https://blog.topqore.com/new-version-pki-certificates-monitoring-pack-for-scom/
Identify certificate stores to windows folders https://superuser.com/questions/217719/what-are-the-windows-system-certificate-stores
STIG finding V-69223 https://www.stigviewer.com/stig/zos_tss/2016-06-30/finding/V-69223