Monitoring expiring certificates with BizTalk360

October 26, 2016

certificate expiry alert

In many situations the communication between BizTalk and web services is protected by using certificates. These certificates have a limited validity and if a certificate has expired, you won’t be able to communicate with the web services until the certificate has been renewed.

For that reason it is important to monitor if certificates are about to expire, so that renewal can be arranged in time. Unfortunately, we often experience that organizations forget to properly monitor certificates’ expiration. In this article, I’ll explain how you can use BizTalk360 to monitor expiring certificates.

Viewing the expiration date of Certificates

As you might know Windows stores certificates in the so-called Certificate store. This Certificate store can be accessed by means of a MMC-snap in. Per certificate, a number of attributes can be viewed. Amongst others, the thumbprint of the certificate and the expiration date of the certificate are the key ones to note. Below you see a picture of some properties of a certificate.

certificate-details

Event Log Warnings of expiring certificates

Windows monitors installed certificates 3 times per day. For each certificate that loses its validity within 10 weeks, Windows writes an entry in the Event Log. This occurs until the certificate is either removed or its validity is extended.

Below you see a picture of how such an Event Log entry looks like. These Event Log entries are all we need to be able to monitor on expiring certificates!

event-log-warning

Get alerted by BizTalk360!

BizTalk360 enables you to retrieve notifications based on Event Log entries. So if you want BizTalk360 to send notifications about expiring certificates, you can simply create an alarm and add a mapping to the Event Log entry. To achieve this, you need to follow these steps:

  • Create a Threshold Alarm
  • Add a mapping to the Event Log entry

Creating a Threshold Alarm

Although this article nicely describes how to setup alarms, I’ll briefly describe the steps here as well.

  1. Navigate to the main page of BizTalk360
  2. On the left pane, choose Monitoring and click Manage Alarms to create a new alarm
  3. Create a new alarm For Threshold Monitoring
  4. Enter the alarm name: Expiring Certificates
  5. In the field Email Ids enter the appropriate email addresses, then click Next
  6. On the next page click OK

Add a mapping to the Event Log Entry

In this article you can find how to setup monitoring for Event Logs, but for the scenario of monitoring expiring certificates, I’ll describe the steps below.

  1. On the left pane of BizTalk360, choose Monitoring and click Manage Mapping to create a mapping to the alarm you just created
  2. Click BizTalk Servers. In the right pane all BizTalk servers within the current BizTalk Group are shown. For this scenario we assume that there is only one BizTalk server
  3. Click on the name of the BizTalk Server
  4. In the next screen, from the Select Alarm drop down box, select the alarm called Expiring Certificates
  5. Next click the tab page called EVENTLOGS
  6. Now click the New Event Log Alert
  7. Enter the fields as shown below
    • Alert Name: Expiring Certificates
    • Event Log: Application
    • Event Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
    • Event Ids: 64
  8. Click Next
  9. In the Textbox in front of ‘Warnings OR’ enter 0 (zero)
  10. Click OK

You now have created a general alarm which sends notifications in case certificates are about to expire or have expired.

Points to remember

  1. In case you have more than 1 BizTalk Server, you should create Alert Mappings for each BizTalk Server
  2. In case you want to monitor the validity of a specific certificate, you could use the Text field on the Event Log Alert – Details screen (see below) to enter the thumbprint of the certificate.

biztalk360-event-log-alert-details

Author: Lex Hegt

Lex Hegt works in the IT sector for more than 25 years, mainly in roles as developer and administrator. He works with BizTalk since BizTalk Server 2004. Currently he is a Technical Lead at BizTalk360.

  • Howard S. Edidin

    Nice article

    • Lex Hegt

      Thanks Howard!

  • Hi Lex,

    We have been using the same trick for several years in combination with other monitoring software. However, I’ve noticed we don’t always get the entry in the event log. Are you aware of this and if so, any workarounds? Thanks for the article!

    • Lex Hegt

      Hi Peter,

      Nice to hear that you have been using the same trick! I’m using this for about a year now, but I have to admit I am not aware missing the event. What exactly did you experience when you missed the entries?

      • We noticed that sometimes certificates tend to expire without any entry. We have been monitoring the specific EventID, but sometimes we see that some certificates tend to slip through (as in: no event log entry/no alert). We haven’t been able to pinpoint it to Windows or monitoring software, since mostly we are way too late to notice before the event log cycles. I was wondering if you have seen this behavior too?

        • Lex Hegt

          I’m using this with BizTalk360 for about a year now and I can’t remember that I’ve seen the behaviour you mention. To be able to determine where it goes wrong, you could extend the size of the Event Log, so hopefully you are able to see whether the Event Log entries appear. But extending the Event Log is not always an option in Live environments.

Get full control of your BizTalk Environments

Over 500 customers across 30+ countries depend on BizTalk360

Start your 14 days Free Trial

Back to Top