Articles and Ideas

PowerShell: Report expiring certificates

Posted by:

PowerShell: Report expiring certificates

There is always an annoyance when public certificate expires out of the blue! Of course, every certificate “owner” or person/department responsible for maintenance of service requiring specific certificate should note the expiration date in his public calendar, but that rarely happens in reality. When service finally stops due to expired certificate, then whole of the IT lines up to dismember the unfortunate PKI Admin guy (without any real grounds to do so!).

But good PKI admin should maximize quality of internal service by using support automatization. PowerShell can be very helpful there.

You can always browse through the certificate stores like through file systems and sort certificates by date. You can even do a little math and define a point in future in which you wish to compare certificates’ expiration date to.

I have created a scheduled script checking for presence of any certificates due to expire in next 30 days and email me report with all of them. If there are no certificates which will expire in next 30 days I will receive no email report.
Good point is that I have scheduled this script to run daily, so until I renew to old certificate I will be annoyed with email every day until I actually renew it and delete the old one.

Here is my script you can use at your disposal:


Predrag Mirjanić

About the Author:

I am capable of working as an engineer on complicated projects or as a "one-man band" bringing the project from scratch to successful fruition. Regarding my technical skills I have quite a lot to offer. Primarily I am a Systems Administrator (Engineer). I have acquired experience in the field by installing, implementing and administering many different Microsoft based network setups in large ICT environments, in diverse industry and government companies. I am familiar with older operating systems including Linux/UNIX based systems. I have designed, installed and implemented different technologies like: Exchange, IP CCTV, BES, SCCM (specifically ZTI), network QoS optimization, and much more. I have good experience with virtualized environments (Microsoft based). I can apply my skills to help automate processes in order to reduce administrative overheads and/or human errors. I am in process of developing WAMP based (Windows, Apache, MySQL and PHP) intranet (company-wide) social networking site for document and project management purposes. Engineering hardware based cloud (powered by Linux OS) for purposes of rendering video material. Also programming several different RouterOS based MikroTik routers to deliver ultimate network management solution (QoS, bandwidth control, L7 protocol traffic control etc.).


    • penguin
      penguin  May 6, 2016

      You can always exclude ’em from report if you do not want to remove them from store, just add exclude condition using Thumbprint property, eg:

      $Certificates = Get-ChildItem Cert: -Recurse | Where-Object {($_.Subject -ne $null) -and ($_.Thumbprint -ne “67b1757863e3eff760ea9ebb02849af07d3a8080”)}

  1. Darren  July 14, 2017

    I know this is an older post but hopeful that you can help.
    This script looks great but I need to be able to run it against all the servers in my environment.
    Could you update to run against a list of server names in a text file and/or against all the servers in an OU?

    Your help would be greatly appreciated.

    • Predrag Mirjanić
      Predrag Mirjanić  July 14, 2017

      Not basic with Get-ChildItem 🙁

      You neet to do something like this (I’m doing this out of my head right now):

      $servers = Get-Content C:\servers.txt
      $certificates = @()
      foreach ($server in $servers) {
      $certificates += Invoke-Command -computername $server {Cert: -Recurse | Where-Object {$_.Subject -ne $null}
      < # rest of the code adding server name as property under New-PSObject #>
      } #end Invoke-Command
      } #end foreach

    • Predrag Mirjanić
      Predrag Mirjanić  July 14, 2017

      This script is designed to be added as Scheduled Task on servers.
      Not to be run one time.


Add a Comment