An expired certificate is a nuisance. In the case of web servers, this is indicated by the display of an untrusted connection when a user tries to open the web page. We will change this together in this article and make sure that we find certificates that will expire soon.
The Goal
In short, I will provide a few lines of code that retrieves all certificates from all domain-joined server that will expire in less or equal 30 days.
The result is an output which shows the server name, the certificate and the expiration date.
The Code
The following code retrieves all Windows server by name. Then a remote connection is established to retrieve all certificates that will expire in less or equal 30 days. All information is collected in an object and the output will be shown in the console window.
$servers=(Get-ADComputer -Filter {operatingsystem -like '*server*'}).Name
$result=@()
foreach ($i in $servers)
{
$ErrorActionPreference="SilentlyContinue"
$a=Invoke-Command -ComputerName $i {Get-ChildItem Cert:\LocalMachine\My -Recurse |
Where-Object {$_ -is [System.Security.Cryptography.X509Certificates.X509Certificate2] -and $_.NotAfter -gt (Get-Date) -and $_.NotAfter -lt (Get-Date).AddDays(30)}
}
foreach ($c in $a) {
$result+=New-Object -TypeName PSObject -Property ([ordered]@{
'Server'=$i;
'Certificate'=$c.Issuer;
'Expires'=$c.NotAfter
})
}
}
Write-Output $result
Run this code in PowerShell ISE to test the functionality in your environment.
I also recommend to put the code into a scheduled task. This scheduled task should run regularly. Instead of writing the output to console you could send an E-Mail message.
If that’s the way you want it, just follow my article PowerShell: Alert me when Disk Space is running low on my Windows Servers (E-Mail Notification) where you can find a template for configuring E-Mail notification and creating a scheduled task.
See you next time with PowerShell and automation …
Categories: Cyber Security, PowerShell, Windows 10, Windows Server
My name is Patrick Gruenauer. From Austria.
SID-500.COM 
Hi,
How can we monitoring public server or website ssl expiration,
LikeLike
You can also do this with PowerShell
LikeLike
Hi Patrick,
Is there a way to specify a specific server and a specific SSL cert on said server, as opposed to all servers and all certs?
LikeLike
Yes, try to catch the cert serial number
LikeLike
Hello Patrick,
Thank you for providing this script.
Can you ask how you can also get this script to email out the results?
Is that something that needs to be written in to the script you provided?
LikeLike
Hi, you can find an example in my alert me if a dc is down. Best,P
LikeLike
Hello,
I love your script, great work. I followed your guide to setup email notifications for this script, however I’m having issues printing it in the body. I’ve searched around, and I guess you can’t put PS Objects directly into the body of an email.
How would replicate the neat format of “Write-Output $result” in an email body?
Thank you!
Nick W.
LikeLike
Hi,
Just use Send-MailMessage. You will find a lot examples in my Download section.
P
LikeLike
Wonderful, thank you!
Cheers,
Nick Wilcox
LikeLike
Its my pleasure. Best, P
LikeLike