PEI deploys Lync and Exchange to clients frequently. One of our most common issues with Lync occurs a year after we deploy. A client will call up and tell us in a panic that everything had been working great until a certain time then everything just “broke”.
Most of the time, our engineers realize that it has been a year since the deploy and know exactly where to look, certificates. Sure enough, a certificate has expired and needs to be renewed. If we’re lucky, it is a certificate that gets issued from the Internal Certificate Authority (CA) and we can renew the cert immediately and have them back up and running within minutes. Worse case, we have to get a new public certificate and they may have to wait hours.
How could this have been avoided? Well, one suggestion is that they place a reminder on their calendar for about 11 months out to check on the certificates. We do recommend this as one solution. Another is to System Center Operations Manager (SCOM) to get alerts on expiring certificates. SCOM is great but a bit overkill if all you want is to know when certificates are expiring.
There is one other option, which is free. There is a tool called the Certificate Expiration Alerter. This command line tool works by checking the Internal CA for certificates that will expire. You can set the number of days in the future you want to check (i.e. return results for all certificates expiring in the next 30 days).
You can simply set this as an automated task on your CA and have it email a group so that you won’t be surprised when a certificate is about to expire.
To run the Certificate Expiration Alerter, simply run:
certexpalerter.exe -c “CAServerRoot CA” — This will list all certificates issued by the CA.
certexpalerter.exe -c “CAServerRoot CA” -d 15 — This will list all certificates issued by the CA that are scheduled to expire in the exactly 15 days.
certexpalerter.exe -m SMTPServerName -s firstname.lastname@example.org -r email@example.com -d 30 -c “CAServerRoot CA” — This will email firstname.lastname@example.org if a certificate will expire in exactly 30 days.