Powershell to check SSL certificates Expiration dates

SSL certificates expire every now and again.

After getting caught off guard about an expired SSL certificate, I thought I’d search and see if I could find a powershell script I could run on the web front ends where the certs are installed.

I found a post on stack overflow that was a good starting point:
http://stackoverflow.com/questions/16181725/powershell-script-to-find-currently-bound-expiring-certificates-in-iis

I made a few simple modifications, formatting the output slightly differently, and adding email to the script, but basically what you see below is mostly from the above post, credit goes to Ansgar Wiechers for posting the solution I used.

You’ll want to test the script as is, then change the $DaysToExpiration to something more reasonable such as 30.

import-module webadministration
$DaysToExpiration = 700 #change this once it's working

$expirationDate = (Get-Date).AddDays($DaysToExpiration)

$sites = Get-Website | ? { $_.State -eq "Started" } | % { $_.Name }
$certs = Get-ChildItem IIS:SSLBindings | ? {
           $sites -contains $_.Sites.Value
         } | % { $_.Thumbprint }

$body = Get-ChildItem CERT:LocalMachine/My | ? {
  $certs -contains $_.Thumbprint -and $_.NotAfter -lt $expirationDate
}
$body | select friendlyname, Subject, @{Name="Expiration"; Expression = {$_.NotAfter}} | fl | out-string

$PCName = $env:COMPUTERNAME
$EmailFrom = "$PCName@yourdomain.com"
$EmailTo = "YourEmail@yourdomain.com"
$EmailBody = $body | select friendlyname, Subject, @{Name="Expiration"; Expression = {$_.NotAfter}} | fl | out-string
$EmailSubject = "Certificates Expiring within $DaysToExpiration days"
$SMTPServer = "yoursmtpserver.yourdomain.com"

if ($EmailBody.Length -gt 1)
{
  Write-host "Sending Email"
  Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body $EmailBody -SmtpServer $SMTPServer
}

I added this script to the “Scripts” folder on my Web servers, and then created a windows “Scheduled task” to run PowerShell along with the script, scheduled nightly. I let it run a few times with $DaysToExpiration set to 700 (to confirm I would actually get the email.) After I knew that it worked I changed the number to a more reasonable 45.

5 thoughts on “Powershell to check SSL certificates Expiration dates

    1. Tony, check out PowerShell Remoting. I don’t have any articles about it here presently, but there are good guides on setting it up out there.

  1. Hey, for some reason when i run this script no data enters into $certs.

    do you have any idea why it can be happening? i have ssl configured.

    Thanks

    1. Try a few lines manually
      open a new powershell and type import-module webadministration
      does that work?
      If you then type IIS: and hit enter, does that work?
      if you type Get-ChildItem IIS:SSLBindings – do you see any?

      If all that is good, then there might be an issue with your where clauses – ie are the sites in a ‘started’ state, etc…
      – Jack

      I’m guessing that you’ve possibly not got the IIS powershell extensions, or you could have an issue with the Where clause

      1. when i write – Get-ChildItem IIS:SSLBindings – it gives me this error:

        Get-ChildItem : Cannot find drive. A drive with the name ‘IIS’ does not exist.
        At line:1 char:1
        + Get-ChildItem IIS:SSLBindings
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : ObjectNotFound: (IIS:String) [Get-ChildItem], DriveNotFoundException
        + FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

        where can i get the extensions from?

        command line will be great

        thanks

Leave a Reply