5

I'm using the Enterprise PKI snap in to diagnose and check the health of a MSFT PKI system.

Is there any way to script/automate this tool to alert me to the pending expiration of a CRL or missing AIA?

makerofthings7
  • 8,821
  • 28
  • 115
  • 196

2 Answers2

4

No, PKIView.msc do not provide any automation means/capabilities. You have to write your own scripts. What I would suggest (sorry, no actual code, but a way to do this) is to consider the following plan and possible tools (assuming, you will use Windows PowerShell):

  • enumerate all Enterprise Certification Authorities (by using ICertConfig interface)
  • loop over each CA and retrieve the most recent CA Exchange certificate (ICertAdmin::GetCAProperty with CR_PROP_CAXCHGCERT in the PropId parameter)
  • use X509Chanin.Build() method to build the chain for each CA Exchange certificate. This will give you all certificates to examine.
  • loop over each certificate and use CryptGetObjectUrl function to extract URLs from CDP and AIA extensions.
  • use Invoke-WebRequest cmdlet to attempt to download objects from URL gathered in previous step.
  • report any failed downloads. If the download succeeds, you can set tresholds to warn about items about to expire or already expired.

There are a lot of ways, but I would go with this one (I'm planning to work on this in next year, so it is possible).

and the last suggestion: if you are looking for a reliable solution, do not rely on certutil output parsing, because its output depends on a number of factors and may not the one you expect.

Also, this task will be simplified if you will use PowerShell PKI module. This module already offers ways to enumerate Enterprise CAs, read CRLs in a managed way, retrieve CA Exchange certificates and so on.

update 26.12.2014: a PoC of the script is now available: Enterprise PKI (pkiview.msc) PowerShell Edition (PoC)

Crypt32
  • 6,414
  • 1
  • 13
  • 32
-1

The MMC will show red/yellow icons when certain things are amiss, but it is an interactive console and does not have automation capabilities. I use powershell to invoke the CERTUTIL CLI command to check for expirations, and invoke-webrequest to test the availability of the AIA.

gci \\servername\certenroll\*.crl | foreach {
    certutil -dump $_.fullname | out-string | % { $_ -match "Next CRL Publish\r\n\s+(.*)" | out-null }
    $expire = [datetime]$matches[1]
    $expire
    # do some date math on $expire
    # send some email if about to expire
}

$aia = "http://pki.acme.com/acme.crt"
if ( (invoke-webrequest $aia).statuscode -ne 200) {
    # not found, send-mailmessage
}
Clayton
  • 4,483
  • 16
  • 24
  • This script do not deserve a discussion, unfortuantely. Is it a big deal to read local CRL, insted of from an actual distribution points, which are not CertEnroll folder in most cases? And if there are multiple CDPs? What about downloading and checking whether the object in the AIA is not expired or is not about to expire? You can't reliable solve requested task that easy. – Crypt32 Dec 04 '14 at 14:36
  • Provided as an example of what can be done to get him started, not a full blown solution to monitor the entire PKI infrastructure. – Clayton Dec 04 '14 at 14:50
  • I accept your point, but yet, this approach doesn't make a sense. The main point is to fetch and examine CDP/AIA URLs from certificates/crls not local files. There is no guarantee that local and HTTP objects are the same. CA server can successfully publish files locally, but not remotely to a web server. The same with LDAP locations. I would agree with your point if you would mention that. – Crypt32 Dec 04 '14 at 15:14