plugins/Invoke-IcingaCheckCertificate.psm1
<# .SYNOPSIS Check whether a certificate is still trusted and when it runs out or starts. .DESCRIPTION Invoke-IcingaCheckCertificate returns either 'OK', 'WARNING' or 'CRITICAL', based on the thresholds set. e.g a certificate will run out in 30 days, WARNING is set to '20d:', CRITICAL is set to '50d:'. In this case the check will return 'WARNING'. More Information on https://github.com/Icinga/icinga-powershell-plugins .FUNCTIONALITY This module is intended to be used to check if a certificate is still valid or about to become valid. .EXAMPLE You can check certificates in the local certificate store of Windows: PS> Invoke-IcingaCheckCertificate -CertStore 'LocalMachine' -CertStorePath 'My' -CertSubject '*' -WarningEnd '30d:' -CriticalEnd '10d:' [OK] Check package "Certificates" (Match All) \_ [OK] Certificate 'test.example.com' (valid until 2033-11-19 : 4993d) valid for: 431464965.59 .EXAMPLE Also a directory with a file name pattern is possible: PS> Invoke-IcingaCheckCertificate -CertPaths "C:\ProgramData\icinga2\var\lib\icinga2\certs" -CertName '*.crt' -WarningEnd '10000d:' [WARNING] Check package "Certificates" (Match All) - [WARNING] Certificate 'test.example.com' (valid until 2033-11-19 : 4993d) valid for, Certificate 'Icinga CA' (valid until 2032-09-18 : 4566d) valid for \_ [WARNING] Certificate 'test.example.com' (valid until 2033-11-19 : 4993d) valid for: Value "431464907.76" is lower than threshold "864000000" \_ [WARNING] Certificate 'Icinga CA' (valid until 2032-09-18 : 4566d) valid for: Value "394583054.72" is lower than threshold "864000000" .EXAMPLE The checks can be combined into a single check: PS> Invoke-IcingaCheckCertificate -CertStore 'LocalMachine' -CertStorePath 'My' -CertThumbprint '*'-CertPaths "C:\ProgramData\icinga2\var\lib\icinga2\certs" -CertName '*.crt' -Trusted [CRITICAL] Check package "Certificates" (Match All) - [CRITICAL] Certificate 'test.example.com' trusted, Certificate 'Icinga CA' trusted \_ [CRITICAL] Check package "Certificate 'test.example.com'" (Match All) \_ [OK] Certificate 'test.example.com' (valid until 2033-11-19 : 4993d) valid for: 431464853.88 \_ [CRITICAL] Certificate 'test.example.com' trusted: Value "False" is not matching threshold "True" \_ [CRITICAL] Check package "Certificate 'Icinga CA'" (Match All) \_ [OK] Certificate 'Icinga CA' (valid until 2032-09-18 : 4566d) valid for: 394583000.86 \_ [CRITICAL] Certificate 'Icinga CA' trusted: Value "False" is not matching threshold "True" .PARAMETER Trusted Used to switch on trusted behavior. Whether to check, If the certificate is trusted by the system root. Will return Critical in case of untrusted. Note: it is currently required that the root and intermediate CA is known and trusted by the local system. .PARAMETER CriticalStart Used to specify a date. The start date of the certificate has to be past the date specified, otherwise the check results in critical. Use carefully. Use format like: 'yyyy-MM-dd' .PARAMETER WarningEnd Used to specify a Warning range for the end date of an certificate. In this case a string. Allowed units include: ms, s, m, h, d, w, M, y .PARAMETER CriticalEnd Used to specify a Critical range for the end date of an certificate. In this case a string. Allowed units include: ms, s, m, h, d, w, M, y .PARAMETER CertStore Used to specify which CertStore to check. Valid choices are '*', 'LocalMachine', 'CurrentUser' .PARAMETER CertThumbprint Used to specify an array of Thumbprints, which are used to determine what certificate to check, within the CertStore. .PARAMETER CertSubject Used to specify an array of Subjects, which are used to determine what certificate to check, within the CertStore. .PARAMETER CertStorePath Used to specify which path within the CertStore should be checked. .PARAMETER CertPaths Used to specify an array of paths on your system, where certificate files are. Use with CertName. .PARAMETER CertName Used to specify an array of certificate names of certificate files to check. Use with CertPaths. .PARAMETER Recurse Includes sub-directories and entries while looking for certificates on a given path .PARAMETER IgnoreEmpty Will return `OK` instead of `UNKNOWN`, in case no certificates for the given filter and path were found .PARAMETER Verbosity Changes the behavior of the plugin output which check states are printed: 0 (default): Only service checks/packages with state not OK will be printed 1: Only services with not OK will be printed including OK checks of affected check packages including Package config 2: Everything will be printed regardless of the check state 3: Identical to Verbose 2, but prints in addition the check package configuration e.g (All must be [OK]) .PARAMETER ExcludePattern Used to specify an array of exclusions, tested against Subject, Subject Alternative Name and Issuer. .INPUTS System.String .OUTPUTS System.String .LINK https://github.com/Icinga/icinga-powershell-plugins .NOTES #> function Invoke-IcingaCheckCertificate() { param( #Checking [switch]$Trusted = $FALSE, $CriticalStart = $null, $WarningEnd = '30d:', $CriticalEnd = '10d:', #CertStore-Related Param [ValidateSet('*', 'LocalMachine', 'CurrentUser')] [string]$CertStore = '*', [array]$CertThumbprint = $null, [array]$CertSubject = $null, [array]$ExcludePattern = $null, $CertStorePath = '*', #Local Certs [array]$CertPaths = $null, [array]$CertName = $null, [switch]$Recurse = $FALSE, [switch]$IgnoreEmpty = $FALSE, #Other [ValidateSet(0, 1, 2, 3)] [int]$Verbosity = 0 ); $CertData = Get-IcingaCertificateData ` -CertStore $CertStore -CertThumbprint $CertThumbprint -CertSubject $CertSubject -ExcludePattern $ExcludePattern ` -CertPaths $CertPaths -CertName $CertName -CertStorePath $CertStorePath -Recurse $Recurse; $CertPackage = New-IcingaCheckPackage -Name 'Certificates' -OperatorAnd -Verbose $Verbosity -IgnoreEmptyPackage:$IgnoreEmpty -AddSummaryHeader; if ($null -ne $CriticalStart) { try { [datetime]$CritDateTime = $CriticalStart; } catch { Exit-IcingaThrowException -ExceptionType 'Custom' -CustomMessage 'DateTimeParseError' -InputString ( [string]::Format('The provided value "{0}" for argument "CriticalStart" could not be parsed as DateTime.', $CriticalStart) ) -Force; } } foreach ($data in $CertData) { $Cert = $data.Cert; if ($null -eq $Cert) { # Not a valid cert file - unknown check $CertPackage.AddCheck( (New-IcingaCheck -Name ([string]::Format("Not a certificate: {0}", $data.Path))).SetUnknown() ); continue; } $SpanTilAfter = (New-TimeSpan -Start (Get-Date) -End $Cert.NotAfter); if ($Cert.Subject.Contains(',')) { [string]$CertName = $Cert.Subject.Split(",")[0]; } else { [string]$CertName = $Cert.Subject; } $CertName = $CertName -ireplace '(cn|ou)=', ''; if (($CertName -eq '') -or ($CertName -eq '')) { $CertName = $Cert.DnsNameList.Unicode.Split([System.Environment]::NewLine)[0] } $CheckNamePrefix = "Certificate '${CertName}'"; if ($data.ContainsKey('Path')) { $CheckNamePrefix += (" at " + $data.Path) } $checks = @(); if ($Trusted) { $CertValid = Test-Certificate $cert -ErrorAction SilentlyContinue -WarningAction SilentlyContinue; $IcingaCheck = New-IcingaCheck -Name "${CheckNamePrefix} trusted" -Value $CertValid; $IcingaCheck.CritIfNotMatch($TRUE) | Out-Null; $checks += $IcingaCheck; } if ($null -ne $CriticalStart) { $CritStart = ((New-TimeSpan -Start $Cert.NotBefore -End $CritDateTime) -gt 0) $IcingaCheck = New-IcingaCheck -Name "${CheckNamePrefix} already valid" -Value $CritStart; $IcingaCheck.CritIfNotMatch($TRUE) | Out-Null; $checks += $IcingaCheck; } if (($null -ne $WarningEnd) -Or ($null -ne $CriticalEnd)) { $ValidityInfo = ([string]::Format('valid until {0} : {1}d', $Cert.NotAfter.ToString('yyyy-MM-dd'), $SpanTilAfter.Days)); $IcingaCheck = New-IcingaCheck -Name "${CheckNamePrefix} ($ValidityInfo) valid for" -Value (New-TimeSpan -End $Cert.NotAfter.DateTime).TotalSeconds; $IcingaCheck.WarnOutOfRange($WarningEnd).CritOutOfRange($CriticalEnd) | Out-Null; $checks += $IcingaCheck; } if ($checks.Length -eq 1) { # Only add one check instead of the package $CertPackage.AddCheck($checks[0]) } else { $CertCheck = New-IcingaCheckPackage -Name $CheckNamePrefix -OperatorAnd; foreach ($check in $checks) { $CertCheck.AddCheck($check) } $CertPackage.AddCheck($CertCheck) } } return (New-IcingaCheckResult -Name 'Certificates' -Check $CertPackage -NoPerfData $TRUE -Compile); } |