Find expired certificates in Azure using PowerShell

KeyVaults are critical instruments in Azure as they are responsible for storing secrets and certificates. They are widely used in many different scenarios where secrets and certificates need to be retrieved from a script or an ARM template. With this in mind, dynamically checking their expiration dates to ensure they are valid is extremely important.
Latest posts by Baki Onur Okutucu (see all)

Because dynamically checking all the certificates in multiple KeyVaults across many subscriptions is difficult in Azure Portal, using PowerShell instead to check all certificates in all KeyVaults and ultimately to create a report will save a lot of time.

To demonstrate my PowerShell script, I'll create a KeyVault in Azure, create three self-signed certificates on my local computer, and finally import them to the KeyVault. After the certificates have been imported into the KeyVault, we can list the certificates that are stored in a KeyVault with their details, such as expiration date, status, or ID.

Importing certificates into the KeyVault ^

The following PowerShell code creates a resource group, an Azure KeyVault, and three self-signed certificates, and then it imports those certificates into the newly created KeyVault.

Getting KeyVault details ^

After the KeyVault is ready, we can simply call the following variable, which was already referenced to the KeyVault object at the time of creation, to get all the KeyVault details.

Getting KeyVault details

Getting KeyVault details

We can also list the certificates that I imported into the KeyVault earlier using the following command:

Listing certificates in an Azure KeyVault

Listing certificates in an Azure KeyVault

As you can see, there are three certificates in the certificate store of the KeyVault, each of which has a different expiration date.

Creating a report ^

Now we can use the following PowerShell script to get a list of certificates that will be expired in a certain period based on the expiration threshold given. To create a threshold, I used the (Get-date).AddDays() method to specify a later date so that I could determine if the expiration date of a certificate is imminent.

I executed the script twice with different thresholds to show you the difference in results. In the first run, I set the threshold at 50, which means it will list all the certificates that will expire in 50 days or less. In the second run, I set it at 100 to list the certificates that will expire within 100 days.

Creating a report of expiring certificates

Creating a report of expiring certificates

Conclusion ^

Accessing dynamic data to monitor your certificates in Azure KeyVaults is pretty useful. You can use Azure runbooks and create a schedule to run this script to get the reports in an automated and continuous way.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2020


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account