Skip to main content

For now the x509 certificate provide four modes (https, tcp, file and opensslcli), but Windows “MMC” certificates still can’t be check.
I propose to add this “custommode”.

Many of windows packaged plugins run powershell commands to retrieve informations and the perl side format the output to the standard centreon.

 

For retrieve the MMC certificates informations, we can run the flollowing powershell command :

Get-ChildItem -Path 'Cert:\LocalMachine\Remote Desktop' | Select *


PSPath             : Microsoft.PowerShell.Security\Certificate::LocalMachine\Remote Desktop\57014B6168AD0DF7B10185FCD9D
                     ED51F7D470E17
PSParentPath       : Microsoft.PowerShell.Security\Certificate::LocalMachine\Remote Desktop
PSChildName        : 57014B6168AD0DF7B10185FCD9DED51F7D470E17
PSDrive            : cert
PSProvider         : Microsoft.PowerShell.Security\Certificate
PSIsContainer      : False
Archived           : False
Extensions         : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName       :
IssuerName         : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter           : 28/11/2023 19:07:49
NotBefore          : 29/05/2023 20:07:49
HasPrivateKey      : True
PrivateKey         : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey          : System.Security.Cryptography.X509Certificates.PublicKey
RawData            : {48, 130, 2, 216...}
SerialNumber       : 68588A4B2F8BF98B476714E087F0F16A
SubjectName        : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm : System.Security.Cryptography.Oid
Thumbprint         : 57014B6168AD0DF7B10185FCD9DED51F7D470E17
Version            : 3
Handle             : 451449296
Issuer             : CN=VM-2008-R2
Subject            : CN=VM-2008-R2

The path “Cert:\LocalMachine\” contains the same folders like the MMC (with Snap-In “Certificates (Local Computer), For exemple, “My” folder in powershell matches with “Personnal” folder in MMC.
 

 

With the following command, we can display all the folders certificates 

PS C:\Users\Administrateur> Get-ChildItem Cert:\LocalMachine\ | Select PSPath

PSPath
------
Microsoft.PowerShell.Security\Certificate::SmartCardRoot
Microsoft.PowerShell.Security\Certificate::AuthRoot
Microsoft.PowerShell.Security\Certificate::CA
Microsoft.PowerShell.Security\Certificate::Trust
Microsoft.PowerShell.Security\Certificate::Disallowed
Microsoft.PowerShell.Security\Certificate::My
Microsoft.PowerShell.Security\Certificate::Root
Microsoft.PowerShell.Security\Certificate::TrustedPeople
Microsoft.PowerShell.Security\Certificate::TrustedDevices
Microsoft.PowerShell.Security\Certificate::Remote Desktop
Microsoft.PowerShell.Security\Certificate::TrustedPublisher

Place a filtrer on these folders in the plugin will be very useful.
 

When we have a Certificate object listing, we can filter the property “Issuer” for target the correct one.
=> this would be the second filter.

 

Once the certificates parameters retreived, i think it’s easy to evaluate expiration date like others modes with same options (warning-status and critical-status).

 

What do you think about that ?

NewDiscussion ongoing

Hi @tibtib 

Have you tried the X509 plugin in TCP mode on port 3389 of the Windows host ?

 https://docs.microsoft.com/en-us/powershell/module/pki/export-certificate?view=windowsserver2022-ps

Hi @omercier,

Yes I tested the TCP mode and it’s not working.
I tried to add --ssl-opt with many options but every time I get the same error :

hroot@centreon plugins]# /usr/lib/centreon/plugins/centreon_protocol_x509.pl --plugin=apps::protocols::x509::plugin --custommode=tcp --mode=certificate --hostname='192.168.1.215' --port=3389 --ssl-ignore-errors
UNKNOWN: Error creating SSL socket: , SSL error: SSL connect attempt failed error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
 root@centreon plugins]#

Moreover, only RDP certificates could be reached, not the other which are in the MMC.

I think my idea could be the “generic” solution for any MMC certificate (the same check command).

Hi @ponchoh,

Thanks for the link, it’s interesting for export certificates to a file, but I don’t sure it’s useful in our case.

The purpose is interrogate directly the MMC, not use a file and the “filemode” from x509 plugin.

Hi @tibtib, a new mode will be released soon for os::windows::local plugin.

Regards,

Discussion ongoingPlanned
PlannedReleased

Released with the September 23 connector update

Hi,

we use this monitoring connector but we didn’t have Certificates

Installed Packages
Name         : centreon-nrpe3-plugin
Version      : 4.1.0
Release      : 150207.el8
Architecture : x86_64
Size         : 67 k
Source       : centreon-nrpe3-plugin-4.1.0-150207.el8.src.rpm
Repository   : @System
From repo    : centreon-plugins-23.04-stable
Packager     : Centreon <contact@centreon.com>
Buildtime    : Tue 17 Oct 2023 05:02:56 PM CEST
Install time : Tue 28 Nov 2023 12:32:26 PM CET
Installed by : sysadmin <sysadmin>
Summary      : Nagios plugin for NRPE
URL          : https://centreon.com
License      : GPLv2+
Description  : Plug-in for Centreon monitoring system.
             : The centreon-nrpe packages contains the Nagios Remote Plug-ins Executor
             : Commit: 1aacfe2cca3bcda1cfa18603623ea4cfd7edc71a

 

aroot@fro1vcp1 ~]# /usr/lib64/nagios/plugins/check_centreon_nrpe3 -H 1.2.3.4 -p 1234-t 60 -u -2 -P 8192 -c check_centreon_plugins -a 'os::windows::local::plugin' 'certificates' --list-mode

Plugin Description:
    Check Windows locally.

Global Options:
    --mode  Choose a mode.

    --dyn-mode
            Specify a mode with the path (separated by '::').

    --list-mode
            List available modes.

    --mode-version
            Check minimal version of mode. If not, unknown error.

    --version
            Display plugin version.

    --pass-manager
            Use a password manager.

Modes Meta:
   multi

Modes Available:
   cmd-return
   list-storages
   pending-reboot
   sessions
   time
   updates
 

Hi ​@SavCent 

Are you sure your version of centreon_plugins.exe is recent enough?

Please have a look here to download the lastest: https://github.com/centreon/centreon-nsclient-build/releases

hi ​@omercier 

i’ve update the .exe and i can check it now but the result is strange.

my command :

/usr/lib64/nagios/plugins/check_centreon_nrpe3 -H 1.2.3.4 -p 1234 -t 60 -u -2 -P 8192 -c check_centreon_plugins -a 'os::windows::local::plugin' 'certificates' ' --filter-thumbprint="" --filter-subject="" --filter-path="U:\JBoss\Apache-2.4\conf\ssl\ca.crt" --unit="w" --warning-certificates-detected="" --critical-certificates-detected="" --warning-certificate-expires="4" --critical-certificate-expires="2"  '

 

result :

in poller :

Unrecognized escape \J passed through in regex; marked by <-- HERE in m/U:\J <-- HERE Boss\Apache-2.4\conf\ssl\ca.crt/ at C:\Windows\TEMP\par-5341564f59452d4c4d57435324\cache-3f10fc802e8b3f966a342cbafbec948b4934fb5b\inc\lib/os/windows/local/mode/certificates.pm line 215.
OK: certificates-detected : skipped (no value(s))

on IHM:

 

If I remember correctly, the plugin looks for certificates in the certificate store.

You may have a hint of which certificates you may check and how by using the service discovery rule (if you have an IT license) or the list-certificates mode if you don’t.

Terms & ConditionsCookie settings