Certificates and Managing Expiration
I have successfully built and deployed a few Microsoft PKI systems, ranging from 2003 server architectures to new certificate options and deployment methods that 2008 server has introduced. What I can’t understand is why Microsoft has not built in a Certificate Reporting Tool. Something similar to this (CRT) http://www.css-security.com/software/certificate-reporting-tool-crt/
System Center Configuration Manager is available from Microsoft and does have some capabilities
One of the biggest challenges as a security consultant, is documentation and leaving your footprint. Being contracted to build a PKI Architecture is a big job, especially if training is required, custom templates, multiple platforms, the list could go on. The number one thing that brings network and systems admins to there knees is expired certificates, this will suck the life out of you if you do not have a plan in place for managing what you have out there and when to expect to put a little proactive time into properly reissuing and revoking certificates.
For most; these types of third party management sytems may not be in the budget, or for some other reason and you can not obtain this type of control. I would like to bring a little of my own flavor to the table. Ready!!!….. I simply use an excel spreadsheet and a shared outlook calendar. Simple documentation on what the certificate is for, who it is issued too, etc on a network share accessible only to the proper IT Staff members. A reminder set two weeks in advance of it initial expiration. As a consultant or contractor, the shared outlook calendar is a good thing to have especially if you working with data that expires or has a lifetime. This way if your contract is up, the IT management in place can still access and recieve the certificate managements notification you setup and add some avoidance to the “Come in and fix this” phone call.