Re: PKI - Manual Enroll - Auto Renewal - Possible?

Champion.. thank you,

we have some scripting guys who can hopefully rustle something up. Perhaps
we can work out a way for this script to run against members of a group, the
same group which allows enrollment of the certificate.

cheers for your help - its appreciated!



"Paul Adare" wrote:

On Wed, 21 May 2008 22:34:00 -0700, DJH wrote:

we've only just picked this up in our test lab as certs have started to
expire, so we have a few weeks to find a workaround for production!

One solution would be to run a scheduled task on your web servers that
checks the certificate for expiration and then either fires off an email
notification to those responsible to performing the renwal, or, if you want
to get really fancy you could also script the renewal. Here's an example
script to get you started and to show you the types of things you can do
with CAPICOM:

'**************************************************
'* CertExpiryCheck.vbs
'* Enumerate certificates with day left for expiry
'**************************************************

Option Explicit
Dim SubjectName
If WScript.Arguments.Count > 0 Then
SubjectName = LCase(WScript.Arguments(0))
Else
CommandUsage
End If

Dim Store, Certificates, Certificate
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1
Const CAPICOM_STORE_OPEN_READ_ONLY = 0

Set Store = CreateObject("CAPICOM.Store")
Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
Set Certificates =
Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName,
0)

If Certificates.Count >0 Then
For Each Certificate in Certificates
'Certificate.display() 'If you want to see the Cert in UI
WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
WScript.Echo "Issued by " & Certificate.IssuerName
WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " &
Certificate.ValidToDate
WScript.Echo "Days to expiry " &
DateDiff("d",now(),Certificate.ValidToDate)
WScript.Echo
Next
Else
WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
End If

Set Certificates = Nothing
Set Store = Nothing

Sub CommandUsage
MsgBox "Usage: CertExpiryCheck.vbs [SubjectName] ",
vbInformation,"CertExpiryCheck"
WScript.Quit(1)
End Sub
--
Paul Adare
http://www.identit.ca
To err is human; to really foul things up requires a computer.

.

Relevant Pages

  • Re: PKI - Manual Enroll - Auto Renewal - Possible?
    ... to get really fancy you could also script the renewal. ... '* Enumerate certificates with day left for expiry ... Set Store = CreateObject ... WScript.Echo "Days to expiry " & ...
    (microsoft.public.security)
  • Re: Import Certificates to user account in AD
    ... Easy script, which you can easily ... It modifies "altSecurityIdentities" attribute in user account object in AD. ... > The hardest part is having a bulk source of the binary DER-encoded ... > certificates for each user available. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Bypass Security Warnings in Access Runtime
    ... But certificates can also stop working & the prompts ... For example I *think* that modifying a query will ... I've also wondered whether *compiling* a query (ie. when it is run the ... >> by that script. ...
    (microsoft.public.access.security)
  • Re: Bulk certificate enrollment to a stand-alone Microsoft CA
    ... Does anybody have more info (documentation) on how to ... write such a script and where i can find the "xenroll.dll"? ... >> manage around 3.000.000 certificates with that CA, ...
    (microsoft.public.win2000.security)
  • RE: Uninstall Script
    ... "urkec" wrote: ... I also tried to run the List Installed Software script to see if I could ... which is the For Loop line. ... at least, 200 workstations, but I can't uninstall those certificates. ...
    (microsoft.public.windows.server.scripting)