I’ve been wondering about the best way to get at the info in certs through relevance. I was trying to track down a WMI query that would do this. The info is in the registry, but it is not easy to decode.
I would prefer a way to query the info using relevance, but even if a task could be run to dump out the data periodically and then read the results in with an analysis, it would be something.
One of our guys here has written a PowerShell script that will identify any Certs that are going to expire within a given period of time, or that have already expired, the script then exports the Cert information to a text file. From IEM I should then be able to execute the PS script as a Task and identify if the file exists with data in it and return a TRUE value letting us know that someone needs to touch the machine and decide what to do with the expired/expiring Certs.
If we get it working, I’ll try to post the code up on BigFix.me
There are some limited inspectors that could use some expansion that only will show the invalid before not invalid after. These also have limited scope as they only work on files