Blog Post

System Center Blog
2 MIN READ

SCOM Management pack for Certificate Monitoring

AakashMSFT's avatar
AakashMSFT
Icon for Microsoft rankMicrosoft
Sep 07, 2022
<Update on Jan 2, 2023: GA release>   Microsoft is excited to announce the GA release of SCOM management pack for Certificate monitoring! We are thankful to the immense response to the previous (...
Updated Jan 05, 2023
Version 6.0
SCOM
System Center Operations Manager
Farooq860's avatar
Farooq860
Copper Contributor
Nov 22, 2024

BojanZ 

If the CRL is not appearing after several hours, it may be due to the CRL publishing schedule, network issues, or configuration settings. Please ensure that the CRL publication schedule is correctly configured and that there are no network issues preventing access. 

BojanZ's avatar
BojanZ
Copper Contributor
Jan 14, 2025

What do you mean by correctly configured CRL publication schedule?

  • Farooq860's avatar
    Farooq860
    Copper Contributor
    Jan 14, 2025

    By "correctly configured CRL publication schedule," I mean ensuring that the schedule for generating and publishing the Certificate Revocation List (CRL) is set up accurately according to your organization's needs. This involves:

    1. **Frequency**: Determining how often the CRL is published (e.g., daily, weekly) to keep the information up-to-date.
    2. **Validity Period**: Setting the duration for which each CRL is valid before a new one needs to be published.
    3. **Publication Points**: Ensuring that the CRL is available at the correct locations (such as web servers or directories) where clients and systems can access it.

    By ensuring these settings are properly configured. 

    • BojanZ's avatar
      BojanZ
      Copper Contributor
      Jan 15, 2025

      One of CDPs is web location that is accessible from SCOM.

      Also, I have 2-tier PKI, is MP capable of monitoring root CA's CRL (root CA is offline as recommended)? Recently whole PKI was "broken" because root CA's CRL expired, and I had to republish it manually, having brought root CA back online.

      • Farooq860's avatar
        Farooq860
        Copper Contributor
        Jan 15, 2025

        The Management Pack (MP) for Certificate Monitoring can monitor the root CA's CRL even if the root CA is offline by leveraging the following mechanisms:

        1. CRL Distribution Points (CDPs): The CRL is published to CDPs, which are accessible locations (like web servers or directories) where clients and systems can retrieve the CRL. Even if the root CA is offline, as long as the CRL is available at these CDPs, the MP can monitor it.
        2. Scheduled CRL Publication: The CRL is generated and published according to a predefined schedule. This ensures that the CRL is updated and available at the CDPs before the previous one expires. The offline root CA can be brought online periodically to publish a new CRL, which is then distributed to the CDPs.
        3. Monitoring Accessibility: The MP checks the availability and validity of the CRL at the CDPs. It ensures that the CRL is accessible and up-to-date, even if the root CA itself is not online.

        Regarding your 2-tier PKI setup: Yes, the Management Pack (MP) is capable of monitoring the root CA's CRL, even if the root CA is offline, as recommended. However, to prevent issues like the one you experienced with the expired root CA's CRL, it's essential to ensure that the CRL publication schedule is correctly configured.

        To avoid such disruptions, you should:

        1. Verify the CRL Publication Schedule: Ensure that the CRL is published at appropriate intervals.
        2. Check CRL Validity Periods: Set the validity period of the CRL to match your organization's needs.
        3. Ensure Accessibility: Make sure the CRL is accessible from all necessary locations, including the web location accessible from SCOM.