Forum Discussion

Dominique's avatar
Dominique
Icon for Advisor rankAdvisor
5 years ago

How to get the Certificate Common Name (FQDN) in the alerts description

Hello,

I am using the two script from Cole McDonald:

On 8/22/2019 at 9:11 AM, Cole McDonald said:

I've lightened the load slightly on the winCertCheck (which is technically no longer the same DS as I've replaced the entirety of the scripts with simplified .NET based powershell scripts to avoid using invoke-command which tends to lead to some resource constraint issues.  This should help though, will keep the same instances alive from the old code as the output is identical to the previous version by @Jonathan Arnold: 

##--------------- Discovery ------------------##
$readOnly     = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
$localMachine = [System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
$store        = new-object System.Security.Cryptography.X509Certificates.X509Store( "\\##SYSTEM.SYSNAME##\root", $localMachine )

$store.Open( $readOnly )

$store.Certificates `
| Select-Object {$_.Thumbprint + "##" + $_.Thumbprint + "##" + $_.Subject + $_.CommonName} `
| Format-Table -HideTableHeaders
##--------------------------------------------##
##-------------- Counters --------------------##
$readOnly     = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
$localMachine = [System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
$store        = new-object System.Security.Cryptography.X509Certificates.X509Store( "\\##SYSTEM.SYSNAME##\root", $localMachine )

$store.Open( $readOnly )

$store.Certificates `
| Where-Object {($_.Thumbprint -like "##WILDVALUE##")} `
| Select-Object @{
	Name       = "DaysUntilExpire"
	Expression = {((Get-Date -Date $_.NotAfter) - (Get-Date)).Days}
} `
| Format-List
##--------------------------------------------##

(please note the line continuations to help readability of the code)

As always, neither I nor Beyond Impact warranty this code.  It's working in our environment, I can't guarantee it'll work in yours.  This doesn't account for anything that needs credentials other than what the collector uses.

==========================================================================================================================

But when testing them on a current alert

I could not get the correct common name displayed... and I do not see the certificate listed in the alert in the list of certificates produced by the script...

I might have missed something!!!

Thanks,

Dom

 

  • Dominique's avatar
    Dominique
    5 years ago

    Thanks for your patience Stuart... 

    I found the location

    ##$store        = new-object System.Security.Cryptography.X509Certificates.X509Store( "\\##SYSTEM.SYSNAME##\root", $localMachine )##
    $store        = new-object System.Security.Cryptography.X509Certificates.X509Store( "\\##SYSTEM.SYSNAME##\my", $localMachine )

    Now I have the good certificate listed... I need to add as you said the expiration date set to combined both...

    Thanks,

    Dom

  • Dominique's avatar
    Dominique
    Icon for Advisor rankAdvisor
    5 years ago

    Thanks Stuart,

    The source of the question I am trying to resolve is coming from the datasource called "SSLCerts-" (displayname="SSL Certificate Expiration") which is incomplete and missing data (missing the "Common Name") for our team to be able to use it.

    The DS "_SSL_Certificates" has been created to try to collect the information needed like the “common name”. I used this one as it seems simpler to use and update than “SSLCerts”, I might be wrong, let me know.

    So the SSLCerts- DS is fine as is and for testing I didn’t want to touch it…. As it is already active in Production even if it is incomplete so far. 

    I am writing _SSL_Certificates as a replacement for SSLCerts- or as addition to it to provide more information

    I will check for this error I did not see thanks for pointing it out the one causing the "No Data" error on collection.

    The output is not enough for our technician as they need the common name to be able to renew the certificate this is a company requirement

     

    I need the Common Name to be displayed as well as the Days before expiration both fields needs to there.

    If it is possible to add the “Common Name” to the DS “SSLCerts-“ directly it is fine with me but I could not get it, it is why I went to the “_SSL_Certificates” which looks like will be able to display the “Common Name” and then I will adjust it to get the expiration date as well.

    Thanks,
    Dom

     

  • Anonymous's avatar
    Anonymous
    5 years ago

    Yeah, I think you're getting your DataSources crossed. The one from your screenshot is called "SSLCerts-" (displayname="SSL Certificate Expiration"). That DS is not a scripted DS, so the changes you are making to the scripted DS "_SSL_Certificates" will not impact the alerts opened by "SSLCerts-". 

    The SSLCerts- DS isn't meant to check all certs on a system, just those that are presented on a live web service discovered when the collector probes the TCP ports 443, 465, 636, and 5671. 

    Took a peek at your account and it looks like the current version of the script stores the CN as the WildAlias, which is perfectly fine (and probably preferable to what you were showing in your screenshot above).  Let's talk about assumptions...

    I assume that you are writing _SSL_Certificates as a replacement for SSLCerts-. 
    I assume that you can fix the script error that is currently causing the "No Data" error on collection.

    Given those two assumptions, the output of your collection script should look something like this (actual values made up): 

    Days: 25

    (Technically there are other simpler ways that you could output your data, but this way leaves the door open to adding more datapoints later on if desired.)

     

    Your datapoint "CommonName" doesn't need to exist. Instead, you need to create a datapoint and the key would be "Days".  You'd need to set a threshold on this datapoint so alarms open.

    When an alert opens, you'd have the instance name in the alert, which is currently set to the CN. 

  • Dominique's avatar
    Dominique
    Icon for Advisor rankAdvisor
    5 years ago

    Hello,

    I want to see the common name in the alert description but for now it is not displayed anywhere...

    Thanks,

    Dom

  • Dominique's avatar
    Dominique
    Icon for Advisor rankAdvisor
    5 years ago
    2 hours ago, Stuart Weenig said:

    Are the alarms in your first screenshot coming from the right DS? Looks like that alarm is coming from "SSL Certificate Expiration". Is that the same DS you built?

    The common name is stored in the instance description right? If so, it should show up under the instance description in the alarm.

    1. yes the alarm are coming from the SSL Certificate Expiration

    2. No I did not see the common name anywhere in the current Datasource it is why I was creating a new one with the script in this thread.

  • Anonymous's avatar
    Anonymous
    5 years ago

    Are the alarms in your first screenshot coming from the right DS? Looks like that alarm is coming from "SSL Certificate Expiration". Is that the same DS you built?

    The common name is stored in the instance description right? If so, it should show up under the instance description in the alarm.