Certificate Expiry Monitoring DashBoard

Polaris is a micro-framework to build the Wep API/s; similar like Flash (Python) but Polaris is having very minimum feathers & that is worked with PowerShell. Polaris Page can be restricted by Active Directory security group & APIs can be publish using SSL for security .

Use case

• Certificate expiry monitoring is very CRITICAL. Create beautiful Dashboard without write any HTML Code & grant access by using AD security group to access those pages .
• Any kind of report can be integrated. Like : AD , DNS , Azure & so on.

Solution implementation time

• 15 minutes.

Prerequisites

• Polaris
• PsWriteHTML
• gMSA (Optional)
• AD Security group for RBAC (Optional).
• Certificate for SSL (Optional).
• Git agent. ```diff
• All optional components are used for security purpose & those are required in Production. ```

Description

• 𝗣𝘀𝗪𝗿𝗶𝘁𝗲𝗵𝘁𝗺𝗹 with 𝗣𝗼𝗹𝗮𝗿𝗶𝘀. Both the modules are available in PowerShell Gallery . GIven the links above. Build your Dashboard or Dynamic HTML report with ZERO html code . All feathers are available those are required for a Standard Dashboard. Like pagination , conditional formatting, csv export & many more . Tested on Windows & Linux . Lots of sample HTML examples are available on Github !
• Polaris : Web API Module - API will run as a service optionally gMSA(Group Managed Service Account) could be use with that service.
• Refer MSFT Blog for gMSA: gMSA
• PswriteHTML : Build your Dashboard or Dynamic HTML report with ZERO html code
• Certificate Teamplate names are hard coded & those need to change manually; dynamic Template’s name can be possible using PowerShell Advance Function.

Implementation Instruction

mkdir c:\temp
cd C:\temp\
git clone https://github.com/21bshwjt/pki-polaris.git
mkdir C:\WebApi\Logs
Copy-Item C:\temp\pki-polaris\* -Recurse C:\WebApi\ -Force -Verbose

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

Install-Module -Name Polaris -AllowClobber -Force

Install-Module -Name PSWriteHTML -AllowClobber -Force

• One AD service account/gMSA is needed for running a Windows scheduled task; that account needs to have CA server’s admin privileges. Code is present into the folder called “build-apicache”. Which will connect the CA server remotely & get the relevant data & export to a JSON file. Schedule task could be run once or twice in a day.
• Polaris will run as a Windows service by using nssm. Code is present in gMSA folder. Download nssm - https://nssm.cc/download . Another service account/gMSA is needed to run the Windows service into the local server with admin privileges.
• Read Polaris documentation to understand how Polaris works.

There are three codes those are created the Dashboard sucessfully . Those are under ‘routes’ , ‘subroutes’ & ‘build-apicache’ folders.

mainpol.ps1 will run the API & that is the only file that needs to be running by Windows Service or Scheduled tasks. Remaining files will be called during the runtime by mainpol.ps1. Use VSCode or ISE for testing . Create Windows Service associated with mainpol.ps1 once all are going good.

[routes]

• Content of certexpiry.ps1 for anonymous access - Pointing Subroute

  New-PolarisGetRoute -Path "/certexpiry" -Scriptblock {
    $pkiexp = . C:\WebApi\subroutes\certexpiry.ps1
    $Response.SetContentType("text/html")
    $Response.Send($pkiexp)
  }
  

• Content of certexpiry.ps1 for restricted access through AD Security Group - Pointing Subroute
• sg-polaris is an AD Security group.

  New-PolarisGetRoute -Path "/certexpiry" -Scriptblock { 
   if( -not $Request.User.IsInRole("sg-polaris") ) {
      $Response.SetContentType('text/html')
      $Html = Get-Content C:\WebApi\htmls\denied.html -Raw
      $Response.Send($Html)
   } else {
      $pkiexp = . C:\WebApi\subroutes\certexpiry.ps1
      $Response.SetContentType("text/html")
      $Response.Send($pkiexp)
   } 
  }
  

• Users will get simillar message like below those users are not part of that Group.

[subroutes]

• Content of certexpiry.ps1 - Dashboard Build Code

  [void](Import-Module PSWriteHTML)   
  $Title = 'Dashboard | PKI-Expiry'
  $icon = 'Your Image URL'
  $headertxt = "<h1>Corp Certificate Expiry Report</h1>"
  $TableTitle = "MSFT-CA1 Expiry Report"
  $data = Get-Content "C:\WebApi\apicache\cert.json" | ConvertFrom-Json
  $DbwriteTime = (Get-Item "C:\WebApi\apicache\cert.json").LastWriteTime
  New-HTML -FavIcon $icon -TitleText $Title -AutoRefresh 50 {
    New-HTMLContent -HeaderText "<center>$headertxt</center><span><center>Refreshed: $DbwriteTime</center></span>" {
        New-HTMLTable -Title $TableTitle -DataTable $data -HideFooter -PagingOptions @(12, 24) {
         #Conditional Formatting
         TableConditionalFormatting -Name 'DaysUntilExpired' -ComparisonType number -Operator le -Value 364 -Color white -BackgroundColor Red
         TableConditionalFormatting -Name 'DaysUntilExpired' -ComparisonType number -Operator ge -Value 363 -Color Black -BackgroundColor PaleGreen
              
        } 
    }
  }
  

• Build beautiful Dasboard like below without writing any HTML/JS code.

Certificate names are missing into the above screenshot because of those are default published Certificates without having Subject name. That will be not the case when new template will be created.

[build-apicache]

• File called certexpiry_cachebuilt.ps1 under “build-apicache” folder - Scheduled tasks Code.
• Look the comment sections into that code.
• Change CA Server name and CA Template names & Template OIDs into the Code as per your env. Given a screenshot below.

How to Test the APIs ?

• Step1 : Test Home Page (HTML) : http://server-fqdn:81/home
• Step2 : Test Employees Page (PsWriteHTML) : http://server-fqdn:81/employees
• Step3 : Test Certificates Expiry Report (PsWriteHTML) : http://server-fqdn:81/certexpiry

API Port

• Port can be changed into mailpol.ps1 .

Enable SSL

• One Certificate is needed for SSL binding & import that Certificate into API server computer store.
• Enable the SSL once API is running fine. Replace the mainpol.ps1 from enable_ssl folder.
• Put a Friendly name into the same Certificate; please refer the below screenshot & change the same into the code (line nos. 12).

Test the SSL enabled API using PowerShell from the local server.

• SSL is enabled with default port (TCP:443).
• Output should be 200.

  $creds = Get-Credential
  $HostName = ($env:COMPUTERNAME+"."+$env:USERDNSDOMAIN).ToLower()
  $url = "https://$($HostName)/home"
  (Invoke-WebRequest -Uri $url -Credential $creds).StatusCode
  

Troubleshooting on API

• Check the logs from /Logs Folder. Also Log will show all the existing Routes (e.g. given below).

Path   : /home
Method : GET

Path   : /certexpiry
Method : GET

Path   : /employees
Method : GET

Path   : /json_payload
Method : GET

Path   : /domaincontroller
Method : GET

JSON Payload

• An example route is present called jason_payload that can be used from any application and from any operating system.
  _______________________________________

• Wiki
• Me@LinkedIn
• Certificate expiry intial code taken from TechNet Forum.
• Thanks to Deepak Dhami , Siva Nallagatla , Prateek Singh & Chen V. Special Thanks to Przemyslaw Klys (PswriteHTML Module Devoloper).

---

+ Please share your comments & feedbacks.