KeyVaults are critical instruments in Azure as they are responsible for storing secrets and certificates. They are widely used in many different scenarios where secrets and certificates need to be retrieved from a script or an ARM template. With this in mind, dynamically checking their expiration dates to ensure they are valid is extremely important.

Because dynamically checking all the certificates in multiple KeyVaults across many subscriptions is difficult in Azure Portal, using PowerShell instead to check all certificates in all KeyVaults and ultimately to create a report will save a lot of time.

To demonstrate my PowerShell script, I'll create a KeyVault in Azure, create three self-signed certificates on my local computer, and finally import them to the KeyVault. After the certificates have been imported into the KeyVault, we can list the certificates that are stored in a KeyVault with their details, such as expiration date, status, or ID.

Importing certificates into the KeyVault ^

The following PowerShell code creates a resource group, an Azure KeyVault, and three self-signed certificates, and then it imports those certificates into the newly created KeyVault.

$rg = "TestKeyVaultRG"
$kv = "TestKeyVault0123456789"
$certs = @()

New-AzureRmResourceGroup -Name $rg -Location "NorthEurope"
$KeyVault=New-AzureRmKeyVault -Name $kv -ResourceGroupName $rg -Location "NorthEurope"

$cert1 = New-SelfSignedCertificate -Subject "TestCert01" -NotAfter "31.12.2018"
$cert2 = New-SelfSignedCertificate -Subject "TestCert02" -NotAfter "31.01.2019"
$cert3 = New-SelfSignedCertificate -Subject "TestCert03" -NotAfter "28.02.2019"

$certs += $cert1
$certs += $cert2
$certs += $cert3

$pwd = ConvertTo-SecureString -String "password" -AsPlainText -Force

foreach($cert in $certs){
Get-ChildItem -Path cert:\localMachine\my\$thumbprint | Export-PfxCertificate -FilePath C:\certs\$name.pfx -Password $pwd
Import-AzureKeyVaultCertificate -VaultName $KeyVault.vaultname -Name $name -FilePath "C:\certs\$name.pfx" -Password $pwd

Getting KeyVault details ^

After the KeyVault is ready, we can simply call the following variable, which was already referenced to the KeyVault object at the time of creation, to get all the KeyVault details.

Getting KeyVault details

Getting KeyVault details

We can also list the certificates that I imported into the KeyVault earlier using the following command:

$KeyVault | Get-AzureKeyVaultCertificate
Listing certificates in an Azure KeyVault

Listing certificates in an Azure KeyVault

As you can see, there are three certificates in the certificate store of the KeyVault, each of which has a different expiration date.

Creating a report ^

Now we can use the following PowerShell script to get a list of certificates that will be expired in a certain period based on the expiration threshold given. To create a threshold, I used the (Get-date).AddDays() method to specify a later date so that I could determine if the expiration date of a certificate is imminent.

$result = @()
$result += "KeyVaultCertName, KeyVaultName, KeyVaultCertEnabled, KeyVaultCertExpiryDate"

foreach($KeyVaultCert in $AllKeyVaultCerts){

$KeyVaultName = $KeyVaultCert.VaultName
$KeyVaultCertName = $KeyVaultCert.Name
$KeyVaultCertEnabled = $KeyVaultCert.Enabled
$KeyVaultCertExpiryDate = $KeyVaultCert.expires

if($KeyVaultCertExpiryDate -lt ((Get-Date).AddDays(50))){
$result+="$KeyVaultCertName, $KeyVaultName, $KeyVaultCertEnabled, $KeyVaultCertExpiryDate"



$result | ConvertFrom-Csv

I executed the script twice with different thresholds to show you the difference in results. In the first run, I set the threshold at 50, which means it will list all the certificates that will expire in 50 days or less. In the second run, I set it at 100 to list the certificates that will expire within 100 days.

Subscribe to 4sysops newsletter!

Creating a report of expiring certificates

Creating a report of expiring certificates

Conclusion ^

Accessing dynamic data to monitor your certificates in Azure KeyVaults is pretty useful. You can use Azure runbooks and create a schedule to run this script to get the reports in an automated and continuous way.

1 Comment
  1. Rich 8 months ago

    This is great information.
    I have a couple of questions:

    Have you created something that will go into the azure portal and pull out all certificates for app registrations/enterprise apps and place them within a keyvault and use that to query on?

    I am facing the challenge of finding all certs for enterprise apps etc that will expire soon and try to display those along with their owner/business owner so that I can notify them of the upcoming expiration.

    Best Regards


Leave a reply to Rich Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2021


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account