Microsoft Lync Server and Microsoft Exchange Server utilize certificates to manage encryption and authentication. When certificates expire unexpectedly, network administrators are under pressure to resolve the problem quickly. Fortunately, most trusted Certificate Providers inform customers by email before certificates expire. But what happens when certificates are issued by an internal Microsoft Windows Certification Authority? If customers do not have a monitoring solution, such as Microsoft System Center Operations Manager, to provide status updates on certificate expirations, it is a real challenge to keep track of scheduled certificate expirations. The Certificate Expiration Alerter is a free tool that helps prevent unplanned certificate expirations.
Author: Fabian Kunz
Publication date: November 17, 2011
Product version: Windows Server 2003 CA, Windows Server 2008 CA, Windows Server 2008 R2 CA
The Certificate Expiration Alerter helps IT departments monitor the expiration status of all certificates issued by an internal Windows Server Certificate Authority (CA). When a certificate is about to expire, the Certificate Expiration Alerter sends an email notification with information about the certificate.
This allows the IT administrator to proactively take action and renew the certificates before they expire and prevent possible service downtimes. This article explains how to use this tool.
The Certificate Expiration Alerter is a command-line tool based on .NET Framework 2.0. The tool connects to a Windows Certification Authority (CA) specified as a command-line parameter. It detects which certificates are scheduled to expire on a specified day defined by a command-line parameter. After running the tool the administrator receives email notifications that identify which certificates are set to expire on the specified day. There is an optional regex parameter to filter certificates with specific Common Names. The administrator must create a Scheduled Task to run the tool once per day.
This tool monitors internally issued certificates that are scheduled to expire. Armed with this information, the administrator can proactively take action to renew certificates before they expire.
This tool runs on Windows Server 2003, Windows Server 2008 or Windows Server 2008 R2. The Windows version is supported only in English and German. The minimum requirement to run the tool is .NET Framework 2.0.
CertExpAlerter is a command-line tool that supports the following parameters. The parameters are:
-m = SMTP server name or ip address to relay the notification message.
-s = sender’s email address in the format email@example.com.
-r = recipient’s email address in the format firstname.lastname@example.org. To supply multiple email addresses, use the delimiter “;”.
-d = number of days to check when a certificate expires.
-c = CA server path in form of “CAServerName\Common Name of the CA certificate”
-f = regular expression to filter based on the certificate’s Common Name.
The common use case is Scenario 4. Before you create a Scheduled Task for this tool, first run Scenarios 1 and Scenario 2. Scenario 1 (Test Email Receipt) validates that the tool can successfully send emails. Scenario 2 ensures that the user account, used by the Scheduled Task, has sufficient privileges to connect to the Windows CA. If both tests are successful, you can create the Scheduled Task.
Scenario 1: Test email receipt.
This command-line sends an immediate test email. This allows the administrator to verify that the tool sends certification expiration notifications.
CertExpAlerter.exe -m SMTPServerName -s email@example.com -r firstname.lastname@example.org
Scenario 2: List all issued certificates.
This command-line argument lists all certificates issued by the CA and includes their expiration information.
CertExpAlerter.exe -c “CAServer\Root CA”
Scenario 3: List all issued certificates scheduled to expire in x days.
This command lists all certificates scheduled to expire in exactly 15 days.
CertExpAlerter.exe -c “CAServer\Root CA” -d 15
Scenario 4: Send email notification that identifies certificates scheduled to expire in x days.
The administrator must create a Scheduled Task and run the tool on a daily basis. An email is sent to email@example.com if a certificate will expire in exactly 30 days.
CertExpAlerter.exe -m SMTPServerName -s firstname.lastname@example.org -r email@example.com -d 30 -c “CAServer\Root CA”
Scenario 5: Filter based on certificate Common Name.
To query certificates that match a specific regular expression in the Common Name, use the parameter: -f. This parameter uses regular expressions (regex). This parameter is not case sensitive. This parameter can be used in any of the previous listed scenarios, except in scenario Test email receipt.
This command returns all certificates with a Common Name that starts with the string PC.
CertExpAlerter.exe -c “CAServer\Root CA” -f “^PC”
This command returns all certificates with Common Name that does NOT start with the string PC.
CertExpAlerter.exe -c “CAServer\Root CA” -f “^(?!PC)”
Figure 1 illustrates listing of all certificates with their expiration date information’s (Scenario 2).
Figure 1. Quering certificates
Figure 2. Quering certificates with the optional filter parameter
The email notification contains information about the certificate that matches the optional filter and the specified day criteria scheduled to expire (Scenario 4). This is illustrated in Figure 4.
Figure 4. Email notification
Monitoring solutions, such as System Center Operations Manager, provide administrators with advanced notification of scheduled certificate expirations. If you do not have an installed monitoring solution, however, CertExpAlerter offers an easy and free solution to monitor your certificates. Download the tool here: Certificate Expiration Alerter. Please reach out to me if you have further questions.
Lync Server Resources
We Want to Hear from You
Keywords: Certificate, Expiration, Alerter, Expired, Expire, CA, Lync Server