Script: Lync Certificates Report

Update – May-26-2015: With the help of Yoav Barzilay, we’ve updated the script to include several new features:

  • Support for EDGE servers Certificates retrieval
  • Support Skype for Business Server 2015 environment
  • The script include parameters which allow you to retrive certificates from FE, EDGE and OWAS all together or one at a time
  • Visual improvements
  • Connectivity tests for servers in Pool
  • A smarter filter for environment to ignore environments with OCS 2007 R2

Download version 0.46 from Here


Update – August-8-2014: With the help of Anthony Caragol, I’ve updated the script to include two new features:

  • The script query every server within a pool and not just the pool itself
  • The script is using PSRemoting which allow it to run the Get-CsCertificate cmdlet and return only the assigned certificate for Lync and not all the ones exists on a server as it was on the previous version

Download version 0.3 from Here


I’ve been doing some troubleshooting lately for a customer which had some issues with expired certificates on his Lync Environment, and asked me how he can monitor or track existing certificates expiration on his Lync environment.

There are great tools out there which helps tracking and monitoring certificates in any environment (not only for Lync), the ones I had a chance to work with are:

The problem is that the first tool can run against an internal CA only which means it holds a lot of certificates or alternatively it does not include Public certificates.
The Cmdlet is doing an excellent job in providing the information we need, but it can only run against the local server which might be an issue for an environment with multiple Lync servers and pools.
The third option is easy and very detailed but it is running against external servers only.

That’s why we decided (Yoav Barzilay and I) to come up with the following script:

Information:

The following script will query for every Lync server in the Environment which is a registrar, an EDGE or an OWAS and will pull the following information on every certificates exists under the Local Machine to an HTML report file:

  • Friendly Name
  • Issuer
  • Thumbprint
  • Subject Name
  • Issue Date
  • Expiration Date
  • Expires In (Days)

The information is gathered by using the following PowerShell cmdlet:

$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store(“MY”,”LocalMachine”)
$Store.Open(“ReadOnly”)

Script Features:

  • The script pulls the information from every server by query the Local Machine container to an HTML report file
  • Certificates which are about to expired in the next 30 days will be colored in Red
  • The script can also be configured to send email as well as being a scheduled task in order to be notified on a weekly/monthly basis.

The current caveats with the Script (which hopefully will be solved on the next version):

  • Does not pull EDGE servers Certificates information
  • Does not have Lync Certificates assignment awareness (Does not know which certificate is currently assigned)

Output:

Download:

38 Comments

  1. Tom Rimala

    Nice one 🙂 Looking forward to upcoming updates Guy 🙂

    Reply
    1. Guy Bachar (Post author)

      Thank you, appreciate the feedback 🙂
      I’ve already updated the script with two new features and hopefully i could get the EDGE servers to work in the upcoming version.

      Reply
  2. Tom Rimala

    Reblogged this on Universal Communications, My experiences. and commented:
    A really nice initiative on a matter that’s crucial to Lync operations.

    Reply
  3. soder

    You should not forget about PSTN gateways utilizing SIP TLS (and certificates) as well!

    Reply
    1. Guy Bachar (Post author)

      That’s a good feedback, i’m not sure though i can use the same method for pulling out the information on PSTN gateways, but i’ll definitely look into that.

      Reply
      1. soder

        Maybe you can include this “grey area” in the instruction guide, just to alert the user of this tool.

        Reply
        1. Guy Bachar (Post author)

          i’m working on a newer version of the script which will hopefully include the EDGE integration, but i’ll definitely add this comment.

          Reply
  4. Turbomcp

    Thanks
    amazing script(helps to learn some powershell tricks also)

    Reply
  5. Pingback: Weekly IT Newsletter – August 4-8, 2014 | Just a Lync Guy

  6. Pingback: NeWay Technologies – Weekly Newsletter #107 – August 8, 2014 | NeWay

  7. Jason

    Hi Guy
    We have a few customers still using Lync 2010. Any tips on getting your script to work for Lync 2010 environments? I’ve tried, but it fails to get the server list.

    Cheers

    Reply
    1. Guy Bachar (Post author)

      Hi Jason,

      The script should work for Lync 2010 environment as well as the Get-CsCertificate is available for both Lync 2013 and Lync 2010 (though i haven’t had a chance to test it on Lync 2010).

      What is the error message that you are getting?

      Reply
  8. edwinvanbrenk

    Running the script errors at line 212 Error Connecting to local server.
    Any ideas why it does this?

    Reply
    1. Guy Bachar (Post author)

      The reason it may not work is because line 212 is using Invoke-Command which is part of PowerShell 3.0 and above.

      what kind of OS and PowerShell version are you using?
      i can try and send you the initial version of the script which can get the certificates list, but cannot determine the Lync assigned certificates but all certificates.

      Reply
      1. edwinvanbrenk

        The OS is W2K8 R2, Lync 2010 and powershell 4.0

        Reply
        1. Guy Bachar (Post author)

          That should work, does it give this error for every lync 2010 server? I can try and send you with an earlier version of the script which give similar output but works in a different method.

          Reply
          1. edwinvanbrenk

            Yes it does this on all my Lync servers, I didn’t try my edge. I would like to try the older version so a link would be nice.

          2. Guy Bachar (Post author)

            Send my your email and I’ll send you a link and ill try and troubleshoot it with you

      2. Bryan Childs

        I had to make this adjustment to the section starting at line 74 (in v0.03) of the script to make it work for Lync 2010: Otherwise the $ServerList et al all end up as empty variables (which is then where Invoke-Command will fall down, as it has nothing to connect to).

        However, it looks like there’s more work to do, as then I end up with a lot of errors from the Invoke-Command itself, saying it can’t find the Get-CsCertificate command. I’ll look into that too.

        $Poollist = Get-CsPool | Where-Object {($_.Services -like “*Registrar*”) -OR ($_.Services -like “*MediationServer*”)}
        $EDGElist = Get-CsPool | Where-Object {$_.Services -like “*EDGE*”}
        $WAClist = Get-CsPool | Where-Object {($_.Services -like “*WAC*”)}

        $ServerList = @()
        $EDGEServerList = @()
        $WacServerList = @()

        foreach($pool in $PoolList){
        $ServerList += $pool.computers
        }

        foreach($edge in $EDGEList){
        $EDGEServerList += $edge.computers
        }

        foreach($wac in $WACList){
        $WacServerList += $wac.computers
        }

        Reply
      3. Bryan Childs

        addendum to previous comment:

        The Invoke-Command needs the scriptblock modified to include “Import-Module Lync;” before the call to Get-CsCertificate. Then it works, ok.

        Reply
        1. Guy Bachar (Post author)

          Thanks Bryan, ill include the adjusments on my next version.

          Reply
  9. Edwinvanbrenk

    I tried your 0.1 version of the script and this works flawless for me. Could it be that the version of Lync we’re running has something to do with it? We’re running: Microsoft Lync Server 2010 (4.0.7577.0)

    Reply
    1. Guy Bachar (Post author)

      Hi Edwin,

      Version 0.1 is working in a different way then version 0.3.
      In version 0.3 i’m using Invoke-Command which requires specific version of PowerShell and Windows and in version 0.1 i’m using remote connection directly.
      On what version of Windows does your Lync 2010 environment runs on? If that’s on Windows Server 2003 that could explain that.

      Reply
      1. edwinvanbrenk

        We run it on Windows Server 2008 R2 X64 SP1. Come to think of it, i never checked our internal firewall for winrm blocking…..hmmmm

        Reply
  10. Cha Tran

    Hi, I am running Lync 2010 with PowerShell v2, would be able to send me the older version of this script please? many thanks. Chau

    Reply
  11. Bird

    Great script! I am now making use of this in our production environment. Any news on when the Edge servers will be included?

    Also, just as a suggestion, is there a way to include in the report if you were unable to contact a server for some reason?

    Keep up the good work! Thanks!

    Reply
    1. Guy Bachar (Post author)

      Hi,

      I’m still working on the EDGE piece, hope to have it ready in the next couple of weeks.
      Thanks for the feedback, I’ll try to include as much information as possible.

      Reply
  12. john weber

    Guy,
    Please fix the edge piece. line 212 is pitching errors at me. not seeing the WAS either.

    Reply
    1. Guy Bachar (Post author)

      Hi John,
      Yes, i’m well of this issue, the EDGE is on my top priority and i hope to make a progress with it very soon and release a newer version of the script.

      Reply
      1. Madhesh

        Hi Guy, Great Script…
        Any News on edge server??

        Reply
        1. Guy Bachar (Post author)

          Unfortunately i didn’t had time to get back to work on the EDGE component, but i’m planning doing so in the near future as well as adding SfB support.
          wait for updates… 🙂

          Reply
        2. Guy Bachar (Post author)

          Actually i was able to get some time on this script today and have a newer version now, let me know if you want to test it out before i release it

          Reply
  13. Edwinvanbrenk

    I’ll give it a go if you’ll let me.

    Reply
    1. Guy Bachar (Post author)

      Sure, send me your email and i’ll forward that to you for testing: guy.bachar@gmail.com

      Reply
  14. Pingback: Script: Lync Certificates Report gets an updated with SfB & EDGE servers support | Just a Lync Guy

  15. soder

    The synopsis seems to be coming from a different script:

    SYNOPSIS
    This script shows Lync users last logon to a Lync pool based on the Lync CDR database and will display Lync Orphaned Users

    Reply
    1. Guy Bachar (Post author)

      Thanks, I’ll fix it 🙂

      Reply
  16. Sean McNamara

    Hey Guy, I wanted to use the sendmail feature, and the body was really not formatting. Each tale was nested in the previous table. I found an error in your HTML formatting. You aren’t adding a at the end of each server’s results. I added the appropriate code at line 512:

    $UniqeFEServersList = $UniqeFEServersList | Sort-Object -Unique
    foreach ($Server in $UniqeFEServersList)
    {
    Add-Content $ServicesFileName “”
    Add-Content $ServicesFileName “”
    Add-Content $ServicesFileName “$Server (Front End)
    Add-Content $ServicesFileName “”
    WriteTableHeader $ServicesFileName
    foreach ($item in $RemoteFECertList)
    {
    if ($item.PSComputerName -eq $Server)
    {
    writeServiceInfo $ServicesFileName $item.Use $item.Issuer $item.Thumbprint $item.Subject $item.NotBefore $item.NotAfter
    }
    }
    Add-Content $ServicesFileName “” #sean mcnamara
    }

    See above. Thanks.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *