Vista - Script to query SmartCard Certificate Expiry?

09-29-2008

Hi,

We use smartcards to login to our VPN, and I've created a CMAK profile
that users install, which gives them a nicer user experience, it also
runs a logon script, and machine audit as the logon. One problem we've
come across recently is SmartCard certificates expiring, some users
may not be in the office for months at a time, and don't know when
their smartcards are about to expire.

What I'm wondering, is: Is it possible to write a scipt, maybe a WMI
script, or add a section to our existing VB logon script, that can
query the SmartCard certificate for its expiry time, and if its say,
less than 30 days away, prompt the user with a little message box that
says something like 'Your SmartCard is due to expire in 30 days/on
28th Septemeber' etc?

Many thanks

Ben

09-29-2008

you could also write a script that runs against the CA from time to time and
mails the user telling the smart card cert is about to expire. Another
option is to start using CLM (Certificate Lifecycle Manager)!
But for now....

29-Sep-2008 23:15:40.03
[RFSRWDC1] C:\>certutil -view -config
RFSRWDC1.ADCORP.LAB\MY-PKI-ROOT-CA -restri
ct "certificate template==SmartCardLogon,disposition==20" /out "request
id,certi
ficate template,serialnumber,Certificate Expiration Date,Issued Common
Name,Issu
ed Distinguished Name"
Schema:
Column Name Localized Name Type
MaxLength
---------------------------- ---------------------------- ------ ---------
Request.RequestID Request ID Long 4 --
Index
ed
CertificateTemplate Certificate Template String 254 --
Ind
exed
SerialNumber Serial Number String 128 --
Ind
exed
NotAfter Certificate Expiration Date Date 8 --
Index
ed
CommonName Issued Common Name String
8192 -- In
dexed
DistinguishedName Issued Distinguished Name String 8192

Row 1:
Request ID: 0x10 (16)
Certificate Template: "SmartcardLogon"
Serial Number: "118812f8000000000010"
Certificate Expiration Date: 29-Sep-2009 17:18
Issued Common Name: "Users
ADM.ROOT"
Issued Distinguished Name: "CN=ADM.ROOT, CN=Users, DC=ADCORP, DC=LAB"

Row 2:
Request ID: 0x12 (18)
Certificate Template: "SmartcardLogon"
Serial Number: "118c3b5d000000000012"
Certificate Expiration Date: 29-Sep-2009 17:23
Issued Common Name: "Leonardo DaVinci"
Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1,
OU=Org
-Users, DC=ADCORP, DC=LAB"

Row 3:
Request ID: 0x13 (19)
Certificate Template: "SmartcardLogon"
Serial Number: "1190164d000000000013"
Certificate Expiration Date: 29-Sep-2009 17:27
Issued Common Name: "Leonardo DaVinci"
Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1,
OU=Org
-Users, DC=ADCORP, DC=LAB"

Row 4:
Request ID: 0x14 (20)
Certificate Template: "SmartcardLogon"
Serial Number: "1196ca6d000000000014"
Certificate Expiration Date: 29-Sep-2009 17:34
Issued Common Name: "Leonardo DaVinci"
Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1,
OU=Org
-Users, DC=ADCORP, DC=LAB"

Row 5:
Request ID: 0x15 (21)
Certificate Template: "SmartcardLogon"
Serial Number: "126b058b000000000015"
Certificate Expiration Date: 29-Sep-2009 21:26
Issued Common Name: "Leonardo DaVinci"
Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1,
OU=Org
-Users, DC=ADCORP, DC=LAB"

Row 6:
Request ID: 0x16 (22)
Certificate Template: "SmartcardLogon"
Serial Number: "126d7850000000000016"
Certificate Expiration Date: 29-Sep-2009 21:29
Issued Common Name: "Leonardo DaVinci"
Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1,
OU=Org
-Users, DC=ADCORP, DC=LAB"

Maximum Row Index: 6

6 Rows
36 Row Properties, Total Size = 1498, Max Size = 150, Ave Size = 41
0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0
0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0
36 Total Fields, Total Size = 1498, Max Size = 150, Ave Size = 41
CertUtil: -view command completed successfully.

29-Sep-2008 23:15:42.15
[RFSRWDC1] C:\>

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Ben" <bjblackmore@xxxxxx> wrote in message
news:a6187400-a433-4c02-b21b-4db60b0f8167@xxxxxx

Quote:

> Hi,
>
> We use smartcards to login to our VPN, and I've created a CMAK profile
> that users install, which gives them a nicer user experience, it also
> runs a logon script, and machine audit as the logon. One problem we've
> come across recently is SmartCard certificates expiring, some users
> may not be in the office for months at a time, and don't know when
> their smartcards are about to expire.
>
> What I'm wondering, is: Is it possible to write a scipt, maybe a WMI
> script, or add a section to our existing VB logon script, that can
> query the SmartCard certificate for its expiry time, and if its say,
> less than 30 days away, prompt the user with a little message box that
> says something like 'Your SmartCard is due to expire in 30 days/on
> 28th Septemeber' etc?
>
> Many thanks
>
> Ben

09-29-2008	#1
Ben n/a posts	Script to query SmartCard Certificate Expiry? Hi, We use smartcards to login to our VPN, and I've created a CMAK profile that users install, which gives them a nicer user experience, it also runs a logon script, and machine audit as the logon. One problem we've come across recently is SmartCard certificates expiring, some users may not be in the office for months at a time, and don't know when their smartcards are about to expire. What I'm wondering, is: Is it possible to write a scipt, maybe a WMI script, or add a section to our existing VB logon script, that can query the SmartCard certificate for its expiry time, and if its say, less than 30 days away, prompt the user with a little message box that says something like 'Your SmartCard is due to expire in 30 days/on 28th Septemeber' etc? Many thanks Ben
My System Specs

09-29-2008	#2
Jorge de Almeida Pinto [MVP - DS] n/a posts	Re: Script to query SmartCard Certificate Expiry? you could also write a script that runs against the CA from time to time and mails the user telling the smart card cert is about to expire. Another option is to start using CLM (Certificate Lifecycle Manager)! But for now.... 29-Sep-2008 23:15:40.03 [RFSRWDC1] C:\>certutil -view -config RFSRWDC1.ADCORP.LAB\MY-PKI-ROOT-CA -restri ct "certificate template==SmartCardLogon,disposition==20" /out "request id,certi ficate template,serialnumber,Certificate Expiration Date,Issued Common Name,Issu ed Distinguished Name" Schema: Column Name Localized Name Type MaxLength ---------------------------- ---------------------------- ------ --------- Request.RequestID Request ID Long 4 -- Index ed CertificateTemplate Certificate Template String 254 -- Ind exed SerialNumber Serial Number String 128 -- Ind exed NotAfter Certificate Expiration Date Date 8 -- Index ed CommonName Issued Common Name String 8192 -- In dexed DistinguishedName Issued Distinguished Name String 8192 Row 1: Request ID: 0x10 (16) Certificate Template: "SmartcardLogon" Serial Number: "118812f8000000000010" Certificate Expiration Date: 29-Sep-2009 17:18 Issued Common Name: "Users ADM.ROOT" Issued Distinguished Name: "CN=ADM.ROOT, CN=Users, DC=ADCORP, DC=LAB" Row 2: Request ID: 0x12 (18) Certificate Template: "SmartcardLogon" Serial Number: "118c3b5d000000000012" Certificate Expiration Date: 29-Sep-2009 17:23 Issued Common Name: "Leonardo DaVinci" Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1, OU=Org -Users, DC=ADCORP, DC=LAB" Row 3: Request ID: 0x13 (19) Certificate Template: "SmartcardLogon" Serial Number: "1190164d000000000013" Certificate Expiration Date: 29-Sep-2009 17:27 Issued Common Name: "Leonardo DaVinci" Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1, OU=Org -Users, DC=ADCORP, DC=LAB" Row 4: Request ID: 0x14 (20) Certificate Template: "SmartcardLogon" Serial Number: "1196ca6d000000000014" Certificate Expiration Date: 29-Sep-2009 17:34 Issued Common Name: "Leonardo DaVinci" Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1, OU=Org -Users, DC=ADCORP, DC=LAB" Row 5: Request ID: 0x15 (21) Certificate Template: "SmartcardLogon" Serial Number: "126b058b000000000015" Certificate Expiration Date: 29-Sep-2009 21:26 Issued Common Name: "Leonardo DaVinci" Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1, OU=Org -Users, DC=ADCORP, DC=LAB" Row 6: Request ID: 0x16 (22) Certificate Template: "SmartcardLogon" Serial Number: "126d7850000000000016" Certificate Expiration Date: 29-Sep-2009 21:29 Issued Common Name: "Leonardo DaVinci" Issued Distinguished Name: "CN=Leonardo DaVinci, OU=Users, OU=HISTORY1, OU=Org -Users, DC=ADCORP, DC=LAB" Maximum Row Index: 6 6 Rows 36 Row Properties, Total Size = 1498, Max Size = 150, Ave Size = 41 0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0 0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0 36 Total Fields, Total Size = 1498, Max Size = 150, Ave Size = 41 CertUtil: -view command completed successfully. 29-Sep-2008 23:15:42.15 [RFSRWDC1] C:\> -- Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx ------------------------------------------------------------------------------------------ * How to ask a question --> http://support.microsoft.com/?id=555375 ------------------------------------------------------------------------------------------ * This posting is provided "AS IS" with no warranties and confers no rights! * Always test ANY suggestion in a test environment before implementing! ------------------------------------------------------------------------------------------ ################################################# ################################################# ------------------------------------------------------------------------------------------ "Ben" <bjblackmore@xxxxxx> wrote in message news:a6187400-a433-4c02-b21b-4db60b0f8167@xxxxxx Quote: > Hi, > > We use smartcards to login to our VPN, and I've created a CMAK profile > that users install, which gives them a nicer user experience, it also > runs a logon script, and machine audit as the logon. One problem we've > come across recently is SmartCard certificates expiring, some users > may not be in the office for months at a time, and don't know when > their smartcards are about to expire. > > What I'm wondering, is: Is it possible to write a scipt, maybe a WMI > script, or add a section to our existing VB logon script, that can > query the SmartCard certificate for its expiry time, and if its say, > less than 30 days away, prompt the user with a little message box that > says something like 'Your SmartCard is due to expire in 30 days/on > 28th Septemeber' etc? > > Many thanks > > Ben
My System Specs

Similar Threads for: Script to query SmartCard Certificate Expiry?
Thread	Forum
Third-party Certificate Authority Configuration for SmartCard Logo	Server General
simple script to query canonical name	PowerShell
Script to query user information based upon group membership	VB Script
How do I query IE7 & cleanmgr using a script ?	Vista account administration
EFS with Smartcard	Vista security