Monitoring expiring certificates with BizTalk360

Published on : Oct 26, 2016

Category : BizTalk360 Update



certificate expiry alert In many situations the communication between BizTalk and web services is protected by using certificates. These certificates have a limited validity and if a certificate has expired, you won’t be able to communicate with the web services until the certificate has been renewed. For that reason it is important to monitor if certificates are about to expire, so that renewal can be arranged in time. Unfortunately, we often experience that organizations forget to properly monitor certificates’ expiration. In this article, I’ll explain how you can use BizTalk360 to monitor expiring certificates.

Viewing the expiration date of Certificates

As you might know Windows stores certificates in the so-called Certificate store. This Certificate store can be accessed by means of a MMC-snap in. Per certificate, a number of attributes can be viewed. Amongst others, the thumbprint of the certificate and the expiration date of the certificate are the key ones to note. Below you see a picture of some properties of a certificate. certificate-details

Event Log Warnings of expiring certificates

Windows monitors installed certificates 3 times per day. For each certificate that loses its validity within 10 weeks, Windows writes an entry in the Event Log. This occurs until the certificate is either removed or its validity is extended. Below you see a picture of how such an Event Log entry looks like. These Event Log entries are all we need to be able to monitor on expiring certificates! event-log-warning

Get alerted by BizTalk360!

BizTalk360 enables you to retrieve notifications based on Event Log entries. So if you want BizTalk360 to send notifications about expiring certificates, you can simply create an alarm and add a mapping to the Event Log entry. To achieve this, you need to follow these steps:
  • Create a Threshold Alarm
  • Add a mapping to the Event Log entry

Creating a Threshold Alarm

Although this article nicely describes how to setup alarms, I’ll briefly describe the steps here as well.
  1. Navigate to the main page of BizTalk360
  2. On the left pane, choose Monitoring and click Manage Alarms to create a new alarm
  3. Create a new alarm For Threshold Monitoring
  4. Enter the alarm name: Expiring Certificates
  5. In the field Email Ids enter the appropriate email addresses, then click Next
  6. On the next page click OK

Add a mapping to the Event Log Entry

In this article you can find how to setup monitoring for Event Logs, but for the scenario of monitoring expiring certificates, I’ll describe the steps below.
  1. On the left pane of BizTalk360, choose Monitoring and click Manage Mapping to create a mapping to the alarm you just created
  2. Click BizTalk Servers. In the right pane all BizTalk servers within the current BizTalk Group are shown. For this scenario we assume that there is only one BizTalk server
  3. Click on the name of the BizTalk Server
  4. In the next screen, from the Select Alarm drop down box, select the alarm called Expiring Certificates
  5. Next click the tab page called EVENTLOGS
  6. Now click the New Event Log Alert
  7. Enter the fields as shown below
    • Alert Name: Expiring Certificates
    • Event Log: Application
    • Event Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
    • Event Ids: 64
  8. Click Next
  9. In the Textbox in front of ‘Warnings OR’ enter 0 (zero)
  10. Click OK
You now have created a general alarm which sends notifications in case certificates are about to expire or have expired.

Points to remember

  1. In case you have more than 1 BizTalk Server, you should create Alert Mappings for each BizTalk Server
  2. In case you want to monitor the validity of a specific certificate, you could use the Text field on the Event Log Alert – Details screen (see below) to enter the thumbprint of the certificate.