Monitoring SSL Certificate Expiration using PowerShell
Contents
Have you ever had an SSL certificate get expired and you didn’t know about it? Perhaps it was the certificate of a web server or an Exchange server. No matter which, it would be nice to be alerted of expiring certificates, right?
This module, LazyExchangeAdmin.ExchangeCertNotify, can be used to get a list of server certificates that will expire in specified exact number of days. Additionally, it can also be used to create an HTML output that can be useful for email reports.
Requirements
- Windows PowerShell 5.1 (sorry, no PowerShell Core)
- Download the module here, and then export it to your preferred folder.
How to Use
Get Details of All Certificates
1
2
Import-Module .\LazyExchangeAdmin.CertX.psd1
Get-CertXList -ServerList Server1,Server2
The output below shows the certificates retrieved from two servers namely AU-DC01 and AU-FILE01.
This output supports piping, too. This means you can export the output to CSV like so:
1
Get-CertXList -ServerList Server1,Server2 | Export-Csv -NoTypeInformation -Path .\certs.csv
And you should get a CSV file similar to the one below.
Getting Details of Certificates Expiring in a Specific Number of Days
1
2
Import-Module .\LazyExchangeAdmin.CertX.psd1
Get-CertXList -ServerList Server1,Server2 -ExpiringInDays 14,6
The
-ExpiringInDaysparameter accepts multiple integer values.
The output below shows that only those certificates that will expire in EXACTLY 6 and 14 days are returned.
This is useful when you want to use it in a script to send you an alert only when the certificates are about to expire in specific days remaining.
Converting the Output as HTML Report
1
2
3
4
5
Import-Module .\LazyExchangeAdmin.CertX.psd1
Get-CertXList -ServerList Server1,Server2 | `
ConvertTo-CertXHtml | `
Out-File .\Certs.HTML
Helper Script for Monitoring by Email
Copy and save this helper script and name it as CertX.ps1.
Do not forget to edit the variables between the
## START EDIT HEREand## STOP EDIT HERElines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
## START EDIT HERE
# [REQUIRED] Where can I find the module?
$modulePath = "C:\Scripts\CertX\LazyExchangeAdmin.CertX.psd1"
# [REQUIRED] Where will the HTML report be saved?
$reportFile = "C:\Scripts\CertX\CertReport.html"
# [REQUIRED] The servers to be monitored
$serverList = @('devpc')
# [OPTIONAL] Expiring in Days
$expiringInDays = @(7,15,30,60)
# [OPTIONAL] Excluded these thumbprints from the monitoring
$exclusionList = @('04F9D994251D33E155AB92593CA0D997D2126AC1')
# EMAIL PROPERTIES
$mailProps = @{
SmtpServer = 'localhost'
From = 'reports@posh.lab'
To = 'admin@posh.lab','june@posh.lab'
Subject = 'Certificate Expiration Report'
}
## END EDIT HERE
Import-Module $modulePath
$CertXProps = @{
ServerList = $serverList
}
if ($expiringInDays) {
$CertXProps.ExpiringInDays += $expiringInDays
Write-Output ('>> Looking for certificates that will expire in exactly ' + ($expiringInDays -join ",") + ' day(s)')
}
if ($exclusionList) {
$CertXProps.ExclusionList += $exclusionList
Write-Output ('>> These certificates will be excluded:')
Write-Output ($exclusionList -join "`n")
}
$certXobject = Get-CertXList @CertXProps
if ($certXobject) {
Write-Output ('>> Found ' + (@($certXobject).count) + ' certificate(s)')
$certXobject | ConvertTo-CertXHtml | Out-File $reportFile
Write-Output '>> Sending email report'
Send-MailMessage @mailProps -Body (Get-Content $reportFile -raw) -BodyAsHtml
}
else {
Write-Output ('>> Found ' + (@($certXobject).count) + ' certificate(s)')
Write-Output '>> Email abort'
}
The screenshot below shows that helper script in action.
And the report below is what you can expect to be delivered as email.
If you found issues or have any recommendations/suggestions, you may open an issue here.