- Compress SMB data in Windows 11 and Server 2022 - Mon, Oct 4 2021
- Install Windows 11 in a virtual machine - Tue, Sep 28 2021
- IE to Edge migration: Redirect legacy web apps to Internet Explorer - Tue, Sep 21 2021
For web servers that are accessible via the public Internet, there are numerous online services that can check at regular intervals when certificates expire and then notify the webmaster in good time. In the company network, many monitoring tools can take over this task.
If you are limited to the onboard tools for this purpose, you can use PowerShell. With the help of a relatively simple script, all servers can be scanned for certificates that will soon reach their expiration date.
Retrieving all servers from the AD ^
The following example reads all computers running Windows Server from Active Directory and remotely accesses their certificate store under LocalMachinemy. It displays all certificates that expire in less than 14 days or that have already expired.
To prevent the script from hanging when a server is not reachable, the Test-Connection cmdlet checks whether the target host is online.
$cred = Get-Credential
$c = 0
$servers = Get-ADComputer -Filter "OperatingSystem -like 'Windows Server*'"
$servers | foreach{
$p = ($c++/$servers.count) * 100
Write-Progress -Activity "Checking $_" -Status "$p % completed" -PercentComplete $p;
if(Test-Connection -ComputerName $_.DNSHostName -Count 2 -Quiet){
Invoke-Command -ComputerName $_.DNSHostName -Credential $cred `
{dir Cert:\LocalMachine\my | ? NotAfter -lt (Get-Date).AddDays(14)}
}
}
If necessary, you could restrict the list of servers by specifying certain OUs with the SearchBase parameter; alternatively, you could read them from a text file.
Subscribe to 4sysops newsletter!
Interactive execution of the script to check the expiration date of certificates
Conclusion ^
The script is intended for interactive execution and shows the progress of the operation with Write-Progress. You could, of course, also customize it to run as a Scheduled Task and be notified by email if a certificate is about to expire.
This is great!
BTW Script fails with errors looking for
Cert:LocalMachinemy
Your screenshot is slightly different from the script you posted
Cert:LocalMachine\my
1 year ago
Fred, thanks for the hint! We fixed this now.
Do we have to run the above script on AD server or we have to run this Script on all the servers individually ?
You can run the script from any workstation with the PowerShell AD module installed.
Hi Wolfgang,
any chance to get the certs FriendlyName instead of the ThumbPrint?
Thanks
Hi Wolfgang
Thanks for the script. It's awesome!
Thanks
B.R
Ziv
Hi Wolfgang
As always interresting post, some comments that i would like to be constructive
Why these proposal ? your readers are not all powershell experts, but a wider audience. Aliases are fine when passing a command line, but it is not recommended to use them in scripts. Naming parameter is recommended by the best practices. One-liner code is not always appropriate to debug. Correct formating makes the code more readable and understandable.
then the code should be :
Get-ChildItem -Path Cert:\LocalMachine\my |
Select-Object -Property friendlyName, Thumbprint, Subject, NotAfter |
Where-Object -Property NotAfter -LT (get-date).AddDays(-14)
@Florian Brune : to meet your need, I've added the property FriendlyName to the output. Feel free to add/remove the properties you would like or not.
regards
Olivier