Does the "Enterprise PKI" MMC allow for any automated testing of the PKI?
I'm using the Enterprise PKI snap in to diagnose and check the health of a MSFT PKI system.
Is there any way to script/automate this tool to alert me to the pending expiration of a CRL or missing AIA?
No, PKIView.msc do not provide any automation means/capabilities. You have to write your own scripts. What I would suggest (sorry, no actual code, but a way to do this) is to consider the following plan and possible tools (assuming, you will use Windows PowerShell):
- enumerate all Enterprise Certification Authorities (by using ICertConfig interface)
- loop over each CA and retrieve the most recent CA Exchange certificate (ICertAdmin::GetCAProperty with
CR_PROP_CAXCHGCERT
in thePropId
parameter) - use X509Chanin.Build() method to build the chain for each CA Exchange certificate. This will give you all certificates to examine.
- loop over each certificate and use CryptGetObjectUrl function to extract URLs from CDP and AIA extensions.
- use Invoke-WebRequest cmdlet to attempt to download objects from URL gathered in previous step.
- report any failed downloads. If the download succeeds, you can set tresholds to warn about items about to expire or already expired.
There are a lot of ways, but I would go with this one (I'm planning to work on this in next year, so it is possible).
and the last suggestion: if you are looking for a reliable solution, do not rely on certutil output parsing, because its output depends on a number of factors and may not the one you expect.
Also, this task will be simplified if you will use PowerShell PKI module. This module already offers ways to enumerate Enterprise CAs, read CRLs in a managed way, retrieve CA Exchange certificates and so on.
update 26.12.2014: a PoC of the script is now available: Enterprise PKI (pkiview.msc) PowerShell Edition (PoC)