Finding Certificate Expiration Using Powershell API

[ratkinsonuk]

I'd like to know if any of the Veeam365 Powershell API can be used to get the expiration date of the current M365 application certificate for an organization?

We had a nasty incident yesterday where the certificate expired and the backups were failing, but it took multiple teams to restore the access. Our Azure team doesn't check certificates as part of BAU, so I'm looking to add this to some checks we already run within the Veeam environment.

Thanks, Rob.

[Polina]

Hi Rob,

Unfortunately, to the best of my knowledge, we don't provide such APIs.

[sherzig]

Hi Rob,

when you know the friendly name (or thumbprint) of the used certificate you can check that using Powershell. The certificates friendly name I used for the application registration was "vbov6":

Code: Select all

 dir cert: -Recurse | Where-Object { $_.FriendlyName -like "*vbov6*" } | Select-Object NotAfter, Subject

Or you can check it the other way round: Does my certificate expire in 1 year or less ?

Code: Select all

dir cert: -Recurse | Where-Object { $_.NotAfter -gt (Get-Date) -and $_.NotAfter -lt (Get-Date).AddYears(1) -and $_.FriendlyName -like "*vbov6*" }

Hope this helps.

Edit: I use a self-signed cert created by Veeam Backup for Microsoft 365. Please consider Jorge's input.

Steve

[jorgedlcruz]

Hello Robert,
As Polina said, we do not have these exposed on the API or PowerShell. As usual, you can combine some of what we have with what M365 offers you by default; let's jump right into context.
You can get the AppID we use by using an API call:

Code: Select all

curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer YOURTOKEN' 'https://YOURVB365Server:4443/v6/Organizations/YOURORGID/Applications'

Or by PowerShell:

Code: Select all

$vb365Org = Get-VBOOrganization -Name "M365x42552316.onmicrosoft.com"
Get-VBOApplication -Organization $vb365Org

Id                                   DisplayName              Tags
--                                   -----------              ----
a5ed015c-4c75-459d-8837-33d4e1eeb3ac BrowserStack             {}
8f19384e-ba23-4490-b375-3c0bebd3c7fd Veeam M365x42552316      {}
825bc308-9874-41b3-9604-9213c6994461 LinkedIn                 {}
79b7911f-c941-4362-b8da-7b389fd690cc Veeam Restore Portal v6a {}
6b354c37-5e80-4925-bb5b-2ed7ef3bca04 Box                      {}
5794cda7-9e4a-429d-942c-32d8eed7eb93 Salesforce               {}

Well, or really from the Console if you want:


Excellent; now that we know it is the ID 8f19384e-ba23-4490-b375-3c0bebd3c7fd, we will use the native Azure Ad PowerShell commands to know the SSL Certificates expiration:
We start with the basics

Code: Select all

Install-Module AzureAD
Connect-AzureAD

And we jump into meat:

Code: Select all

$appId = "8f19384e-ba23-4490-b375-3c0bebd3c7fd"
$appCert = Get-AzureADApplication -Filter "AppId eq '$($appId)'" | select KeyCredentials

That has saved the SSL Certificate details inside the appCert variable, let's see what it is inside:

Code: Select all

Write-Host $appCert.KeyCredentials
class KeyCredential {
  CustomKeyIdentifier: System.Byte[]
  EndDate: 8/10/2032 1:02:44 PM
  KeyId: b773ba47-5614-4cf5-9d94-00b15b7fd8b7
  StartDate: 8/10/2022 1:02:46 PM
  Type: AsymmetricX509Cert
  Usage: Verify
  Value:
}

Oh, that is nice; now I only really want the EndDate, so:

Code: Select all

Write-Host $appCert.KeyCredentials.EndDate
8/10/2032 1:02:44 PM

Knowing this, you can now build a simple script that sends this metric to your monitoring system, via email, etc.

Here you can find an official Script that will generate a nice CSV, maybe you can hardcoded the days and path, so let's say everything that it will expire in 30 days only, and run it every week.

Hope it helps.

[ratkinsonuk]

Thanks Jorge. I did some Googling on how to get the info directly from Azure using AzureAD and Azure Az, but it all looked a bit complicated. I think you're solution is simple, but will take me some time to integrate using our authentication certificates.

For info, the thumbprint is available directly from the Get-VBOOrganization object. I suspect it would be difficult to obtain the expiration dynamically within the existing VBM365 code, but I'd appreciate it if you can log an enhancement request to store the expiration date in the Veeam database when the thumbprint is saved.

PS > $a = Get-VBOOrganization
PS > $a.Office365ExchangeConnectionSettings


ApplicationId : f2937xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AuthenticationType : ApplicationOnly
ImpersonationAccountName : ukvbo365@xxxxxxxxxxxxxxxxxx.onmicrosoft.com
OfficeOrganizationName : penguinxxxxxxxxxxxxxxxxxxxxxxxx
NewApplicationName :
ConfigureApplication : False
ApplicationCertificateThumbprint : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ApplicationCertificatePath :
ApplicationCertificatePassword :
SharePointSaveAllWebParts : False

[jorgedlcruz]

Hope the latest script attached could be easier to use, it is just a few clicks.

But yes I agree, expire date as part of the ps/api from vb365 could ve useful, as we expose already thumbprint.

Let us know