Tuesday, January 31, 2017

Filtering out certificates with blank Common Name when using the Certificate Expiration Alerting command tool

I’ve found that many of my clients with services that rely on Microsoft Certificate Authorities deployed within the internal network have frequently asked me whether there was a way to monitor the expiry of these issued certificates and the answer to that is yes, with the Certificate Expiration Alerting tool found here:

Certificate Expiration Alerting
https://blogs.technet.microsoft.com/nexthop/2011/11/17/certificate-expiration-alerting/

The next common question that usually pops up shortly after testing the tool is whether there was a way to filter out issued certificates that have blank common names as shown in the following screenshot:

CertExpAlerter.exe -c "cert01\Company-CA" -d 312

image

Note that the command above queried for certificates that expire in 312 days and 3 certificates were returned where 2 had blank common names.  The way to filter the common name as described in the TechNet article is with the use of RegEx and the only reason why I am familiar to it is because I used to work with Lync Enterprise voice quite a bit which forced me to learn it for creating translation rules. The RegEx expression we’re interested in is the following:

^(?!\s*$).+

What the above RegEx command matches is any string that contains at least one non-space character which results with the exclusion of blank common names:

image

Hope this helps anyone who is unfamiliar with RegEx and is looking for the expression to filter out blank common names.

No comments: