question

shankar431-9012 avatar image
0 Votes"
shankar431-9012 asked StoyanChalakov edited

How many days before expiry of the certificates can be checked on the servers wich are in untrusted domain servers

Hi All,

We need to monitor the certificates which are in untrusted Domain servers with no Gateway servers.

Monitor: Expiration Check of Certificate Used for Authentication
Management Pack: System Center Core Monitoring
Monitor Target: Health Service


We wanted to know how many days before certificate expiry does this monitor generate an alert.
In the monitor properties nowhere mentioned when will this monitor trigger an alert.

It Monitors the below parameter.

Log name: Operations Manager
Monitors the Event ID: 21020
Event Source: OpsMgr Connector

We are using SCOM 2012 R2

Regards,
Ravi shankar

msc-operations-manager
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RogerXue-3369 avatar image
0 Votes"
RogerXue-3369 answered shankar431-9012 commented

Monitor: Expiration Check of Certificate Used for Authentication

This is a default monitor for certificate used for mutual authentication. In order to monitor untrusted domain servers without gateway server, you need deploy certificate for each untrusted domain machines and install agent. for how to Monitoring non-domain members with OM 2012, pls. refer to

https://docs.microsoft.com/en-us/archive/blogs/stefan_stranger/monitoring-non-domain-members-with-om-2012


Roger
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi RogerXue,

Any idea how many days before the certificate expiry does this monitor generate an alert.

Regards,
Ravishankar

0 Votes 0 ·
StoyanChalakov avatar image
0 Votes"
StoyanChalakov answered

HI @shankar431-9012,

this monitior is based ion events:

Microsoft.SystemCenter.HealthService.CommunicationCertificateExpirationCheck (UnitMonitor)
https://systemcenter.wiki/?GetElement=Microsoft.SystemCenter.HealthService.CommunicationCertificateExpirationCheck&Type=UnitMonitor&ManagementPack=Microsoft.SystemCenter.2007&Version=7.0.9538.0

so it does not check the certificate expiration date, but it does look for related events and when those are logged - alert.

I hope I was able to help.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Regards,
Stoyan


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrAz avatar image
1 Vote"
CyrAz answered StoyanChalakov edited

As Stoyan said, this monitor is based on events and unfortunately it's not very clear as to when/how long in advance that event is generated.
A better solution could be to use the PKI MP, which can monitor expiration of all the certificates in your (windows) environment and for which the threshold can be adjusted : https://blog.topqore.com/new-version-pki-certificates-monitoring-pack-for-scom/

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ï totally forgot about this, nice one, Cyril!

0 Votes 0 ·