< Back
Get-UnhealthyCertificateNagios
Post
NAME Get-UnhealthyCertificateNagios
SYNOPSIS
Get-UnhealhtyCertificateNagios checks the local certificate store or file system for
unhealthy SSL certificates.
SYNTAX
Get-UnhealthyCertificateNagios [[-ComputerName] <String>] [-returnStateOK <Int32>] [-returnStateWarning <Int32>]
[-returnStateCritical <Int32>] [-returnStateUnknown <Int32>] [-WarningDays <Int32>] [-CriticalDays <Int32>] [-Path
<String[]>] [-ExcludedThumbprint <String[]>] [-WarningAlgorithm <String[]>] [-CriticalAlgorithm <String[]>]
[-CriticalKeySize <Int32>] [-WarningKeySize <Int32>] [-Recurse] [<CommonParameters>]
DESCRIPTION
Get-UnhealhtyCertificateNagios checks the local certificate store or file system for
unhealthy SSL certificates. Get-UnhealthyCertificate uses the Get-CertificateHealth
function from the CertificateHealth module to find certificates that have
expired or are expiring soon. It also checks for certificates using deprecated
or vulnerable signature algorithms.
This script is designed to work with NSclient++ and Nagios to output in a format
to be consumed by a Nagios monitoring server. Instructions for configuring the
NSclient++ and Nagios server check are included.
The check defaults to check the LocalMachine personal certificate store for
certificates expiring with 30-60 days. You can also check alternate certificate
paths by specifying a different $CertificatePath. You can adjust the amount
of days before a certificate is considered to be in a warning or critical state.
Pre-requisites:
* NSclient++ installed on Windows box.
* check_nrpe check configured on Nagios server.
Usage with NSClient++
---------------------
Add an external command to your nsclient.ini:
PSCheckCertificate=cmd /c echo Import-Module scripts\\CertificateHealth\\CertificateHealth.psm1 ;
Get-UnhealthyCertificateNagios ; exit($lastexitcode) | powershell.exe -command -
If you'd like to create a global exclusion list to not be monitored, add them to the
ExcludedThumbprint.txt at the root of the module and set your nsclient.ini to below:
PSCheckCertificate=cmd /c echo Import-Module scripts\\CertificateHealth\\CertificateHealth.psm1 ;
Get-UnhealthyCertificateNagios -ExcludedThumbprint $ExcludedThumbprint ; exit($lastexitcode) | powershell.exe
-command -
Create a nagios service check:
$USER1$/check_nrpe -H $HOSTADDRESS$ -u -t 90 -c $ARG1$
($ARG1$ = PSCheckCertificate)
PARAMETERS
-ComputerName <String>
Specify a remote computer or default to local computer.
Required? false
Position? 1
Default value $env:COMPUTERNAME
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-returnStateOK <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? false
Accept wildcard characters? false
-returnStateWarning <Int32>
Required? false
Position? named
Default value 1
Accept pipeline input? false
Accept wildcard characters? false
-returnStateCritical <Int32>
Required? false
Position? named
Default value 2
Accept pipeline input? false
Accept wildcard characters? false
-returnStateUnknown <Int32>
Required? false
Position? named
Default value 3
Accept pipeline input? false
Accept wildcard characters? false
-WarningDays <Int32>
Specify the amount of days before the certificate expiration should be in
warning state.
Required? false
Position? named
Default value 60
Accept pipeline input? false
Accept wildcard characters? false
-CriticalDays <Int32>
Specify the amount of days before the certificate expiration should be in
critical state.
Required? false
Position? named
Default value 30
Accept pipeline input? false
Accept wildcard characters? false
-Path <String[]>
Required? false
Position? named
Default value Cert:\\LocalMachine\\My
Accept pipeline input? false
Accept wildcard characters? false
-ExcludedThumbprint <String[]>
Array of thumbprints of certificates that should be excluded from being checked.
This would be used if there is a certificate that is expired, but do not need
to be notified about it.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-WarningAlgorithm <String[]>
Array of algorithms that are deprecated.
Required? false
Position? named
Default value sha1RSA
Accept pipeline input? false
Accept wildcard characters? false
-CriticalAlgorithm <String[]>
Array of algorithms with known vulnerabilities.
Required? false
Position? named
Default value md5RSA
Accept pipeline input? false
Accept wildcard characters? false
-CriticalKeySize <Int32>
Required? false
Position? named
Default value 1024
Accept pipeline input? false
Accept wildcard characters? false
-WarningKeySize <Int32>
Certificates with key size less than this value and greater than the CriticalKeySize
will be considered warning.
Required? false
Position? named
Default value 2048
Accept pipeline input? false
Accept wildcard characters? false
-Recurse [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Created by: Jason Wasser
Modified: 1/14/2016 10:17:58 AM
Version 1.5
Changelog:
v 1.5
* fixed - missing $WarningKeySize and $CriticalKeySize when calling Get-CertificateHealth
v 1.4
* Added key size check
v 1.3
* Script renamed to use PowerShell approved verb.
* Script now part of CertificateHealth module and uses associated functions.
v 1.2
* Added Hashing Algorithm to prepare for sha1 deprecation.
v 1.0
* Initial Script
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-UnhealthyCertificates
Checks the computer personal certificate store for unhealthy certificates.
RELATED LINKS
https://gallery.technet.microsoft.com/s ... h-b646aeff
Requires -Version 2.0
SYNOPSIS
Get-UnhealhtyCertificateNagios checks the local certificate store or file system for
unhealthy SSL certificates.
SYNTAX
Get-UnhealthyCertificateNagios [[-ComputerName] <String>] [-returnStateOK <Int32>] [-returnStateWarning <Int32>]
[-returnStateCritical <Int32>] [-returnStateUnknown <Int32>] [-WarningDays <Int32>] [-CriticalDays <Int32>] [-Path
<String[]>] [-ExcludedThumbprint <String[]>] [-WarningAlgorithm <String[]>] [-CriticalAlgorithm <String[]>]
[-CriticalKeySize <Int32>] [-WarningKeySize <Int32>] [-Recurse] [<CommonParameters>]
DESCRIPTION
Get-UnhealhtyCertificateNagios checks the local certificate store or file system for
unhealthy SSL certificates. Get-UnhealthyCertificate uses the Get-CertificateHealth
function from the CertificateHealth module to find certificates that have
expired or are expiring soon. It also checks for certificates using deprecated
or vulnerable signature algorithms.
This script is designed to work with NSclient++ and Nagios to output in a format
to be consumed by a Nagios monitoring server. Instructions for configuring the
NSclient++ and Nagios server check are included.
The check defaults to check the LocalMachine personal certificate store for
certificates expiring with 30-60 days. You can also check alternate certificate
paths by specifying a different $CertificatePath. You can adjust the amount
of days before a certificate is considered to be in a warning or critical state.
Pre-requisites:
* NSclient++ installed on Windows box.
* check_nrpe check configured on Nagios server.
Usage with NSClient++
---------------------
Add an external command to your nsclient.ini:
PSCheckCertificate=cmd /c echo Import-Module scripts\\CertificateHealth\\CertificateHealth.psm1 ;
Get-UnhealthyCertificateNagios ; exit($lastexitcode) | powershell.exe -command -
If you'd like to create a global exclusion list to not be monitored, add them to the
ExcludedThumbprint.txt at the root of the module and set your nsclient.ini to below:
PSCheckCertificate=cmd /c echo Import-Module scripts\\CertificateHealth\\CertificateHealth.psm1 ;
Get-UnhealthyCertificateNagios -ExcludedThumbprint $ExcludedThumbprint ; exit($lastexitcode) | powershell.exe
-command -
Create a nagios service check:
$USER1$/check_nrpe -H $HOSTADDRESS$ -u -t 90 -c $ARG1$
($ARG1$ = PSCheckCertificate)
PARAMETERS
-ComputerName <String>
Specify a remote computer or default to local computer.
Required? false
Position? 1
Default value $env:COMPUTERNAME
Accept pipeline input? true (ByPropertyName)
Accept wildcard characters? false
-returnStateOK <Int32>
Required? false
Position? named
Default value 0
Accept pipeline input? false
Accept wildcard characters? false
-returnStateWarning <Int32>
Required? false
Position? named
Default value 1
Accept pipeline input? false
Accept wildcard characters? false
-returnStateCritical <Int32>
Required? false
Position? named
Default value 2
Accept pipeline input? false
Accept wildcard characters? false
-returnStateUnknown <Int32>
Required? false
Position? named
Default value 3
Accept pipeline input? false
Accept wildcard characters? false
-WarningDays <Int32>
Specify the amount of days before the certificate expiration should be in
warning state.
Required? false
Position? named
Default value 60
Accept pipeline input? false
Accept wildcard characters? false
-CriticalDays <Int32>
Specify the amount of days before the certificate expiration should be in
critical state.
Required? false
Position? named
Default value 30
Accept pipeline input? false
Accept wildcard characters? false
-Path <String[]>
Required? false
Position? named
Default value Cert:\\LocalMachine\\My
Accept pipeline input? false
Accept wildcard characters? false
-ExcludedThumbprint <String[]>
Array of thumbprints of certificates that should be excluded from being checked.
This would be used if there is a certificate that is expired, but do not need
to be notified about it.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-WarningAlgorithm <String[]>
Array of algorithms that are deprecated.
Required? false
Position? named
Default value sha1RSA
Accept pipeline input? false
Accept wildcard characters? false
-CriticalAlgorithm <String[]>
Array of algorithms with known vulnerabilities.
Required? false
Position? named
Default value md5RSA
Accept pipeline input? false
Accept wildcard characters? false
-CriticalKeySize <Int32>
Required? false
Position? named
Default value 1024
Accept pipeline input? false
Accept wildcard characters? false
-WarningKeySize <Int32>
Certificates with key size less than this value and greater than the CriticalKeySize
will be considered warning.
Required? false
Position? named
Default value 2048
Accept pipeline input? false
Accept wildcard characters? false
-Recurse [<SwitchParameter>]
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Created by: Jason Wasser
Modified: 1/14/2016 10:17:58 AM
Version 1.5
Changelog:
v 1.5
* fixed - missing $WarningKeySize and $CriticalKeySize when calling Get-CertificateHealth
v 1.4
* Added key size check
v 1.3
* Script renamed to use PowerShell approved verb.
* Script now part of CertificateHealth module and uses associated functions.
v 1.2
* Added Hashing Algorithm to prepare for sha1 deprecation.
v 1.0
* Initial Script
-------------------------- EXAMPLE 1 --------------------------
PS C:\\>Get-UnhealthyCertificates
Checks the computer personal certificate store for unhealthy certificates.
RELATED LINKS
https://gallery.technet.microsoft.com/s ... h-b646aeff
Requires -Version 2.0