PKI Certificate Expiry Reporter


  1. This utility requires an LDIF file as input.

    Providing a GUI utility which caters for all environments takes more development effort and is frankly unjustified considering there are already many tools available for collecting the required certificate data.

  • The LDIF file must contain objects of class "nDSPKIKeyMaterial" and attributes per object called "NDSPKIPublicKeyCertificate" (base64 encoded) AND "hostServer". (When an attribute name appears with "::" after it, then it is base64 encoded.)

  • Using a valid LDIF file as input, the PKI Key expiry date for each of the certificate objects will be extracted and reported.

  • The total number of years, months and days (independent of each other), remaining before expiry is calculated.

  • The results are written to a text report as well as a CSV (comma delimited file) in the format:

    Object Name , Context, Date Trusted Root Expires, Date Public Key Expires, Total Years Until PK Expires, Total Months Until PK Expires, Days Until PK Expires

  • A DOS batch file is provided to collection of the LDIF data uing ice.exe, called "Export-PKData.bat". Copy this file from the installation directory, into the directory where the ice.exe resides, e.g. "C:\novell\consoleone\1.2\bin".

    Execute the batch file to see a list of the command line parameters required.

    Using ICE/ldapsearch/iManager/ConsoleOne, export the certificate data for all objects of class nDSPKIKeyMaterial along with the attributes NDSPKIPublicKeyCertificate and hostServer.

  • If a non-eDirectory LDIF file is used, then it must only contain ONE class / object type, the objects which hold the NDSPKIPublicKeyCertificate or equivalent attribute. Use the Attribute Mapping feature to associate the attribute to the public key certificate

Copyright Novell AU Pty Ltd

This utility is provided without warranty or claims.

If you're not happy with it, keep searching.... the perfect tool might be out there.



Comment List
  • in reply to MigrationDeletedUser
    Sorry about the missing file, it would have contained the ICE command syntax for exporting the certs. Can't add that file now, been a long time since I built that installable.

    You can use ConsoleOne ICE export or iManager too, or ldapsearch command line.

    ldapsearch -x -h server_IP -p 389 -D cn=user,o=org -w password -b "" -s sub "(nDSPKIKeyMaterial)" NDSPKIPublicKeyCertificate hostServer > file.ldif

    ldapsearch -x -H ldap://server_name -D cn=user,o=org -w password -b "" -s sub "(nDSPKIKeyMaterial)" NDSPKIPublicKeyCertificate hostServer > file.ldif

    Depending on your LDAP server security you may need to drop the "-x" and supply a certificate to authenticate.

    I don't think you'll need to authenticate to get at the data you need to check the certs, therefore this should work:

    ldapsearch -x -h server_IP -b"" -s sub "(nDSPKIKeyMaterial)" NDSPKIPublicKeyCertificate hostServer > file.ldif

    If you're on a Linux server with eDir on it then will probably work,

    ldapsearch -x -b"" -s sub "(nDSPKIKeyMaterial)" NDSPKIPublicKeyCertificate hostServer > file.ldif

  • Documentation refers to a file called "Export-PKData.bat" which does not appear to be included in the ZIP file supplied.
  • in reply to MigrationDeletedUser
    Apologies for the long delay, I don't check this very often.

    How would we get hold of these certs to check? The util is designed for mass cert checks. for individual user certs, on Windows, you can right-click the file and check the expiry.
  • Can be this added to this app ?