Q: How-to monitor if a SSL certificate expiration date is coming?
A: We can wait for the alert email from the SSL certificate provider. And -WhatIf! Yes, what if the registered email no longer exists, or for any reason you don’t receive the alert? And what about one of my main rules: if you want it done right, you’ve got to do it yourself!?
So let’s do it ourselves! There’s many examples on how to check a SSL certificate validity and especially SSL certificate expiration date. But most of all checks the certificate store through the PS-drive ‘CERT:\’; that could be good enough, but it’s not the way I wanted… I want to get the certificate(s) from a central monitoring server through a webrequest.

Ok, here we are:

    Check-SSL.ps1 - Gets SSL certificate expiration date
    Check-SSL.ps1 - Gets SSL certificate expiration date and send an email alert if a defined threshold is exceeded.
    Defines the URL of the SSL certificate to check
    Mandatory parameter
    No default value.
.PARAMETER WebsitePort
    Defines the website port of the SSL certificate to check
    Default is 443.
    Defines the CommonName (CN) of the SSL certificate to check
    Default is the value of the WebsiteURL parameter.
.PARAMETER Threshold
    Defines the threshold (in days). If the SSL certificate expiration date exceeded the threshold, an email alert is sent.
    Default is 15.
    File Name   : Check-SSL.ps1
    Author      : Fabrice ZERROUKI -
    PS D:\> .\Check-SSL.ps1 -WebsiteURL -Threshold 30
    Performs a check of the expiration date for the SSL certificate that secures the website If the certificate expires in less than 30 days, an email alert is sent.
 [Parameter(Mandatory=$true,HelpMessage="IP address or hostname to check")][string]$WebsiteURL,
 [Parameter(HelpMessage="TCP port number that SSL application is listening on")][int]$WebsitePort=443,
 [Parameter(HelpMessage="CommonName (CN) on certificate")][string]$CommonName=$WebsiteURL,
 [Parameter(HelpMessage="The number of days after which an alert should be sent.")][int]$Threshold=15 

$MailSubject="$WebsiteURL - SSL certificate will expire in $ValidDays days"
<html><span style='font-family: Tahoma; font-size: 12px;' >Hi,<br />
<br />
the SSL certificate for the website "$WebsiteURL" will expire in $ValidDays days. You should conserder renewing it.<br />
<br />
----------------------------------------------------------------------------</span><br />
<span style='font-family: Tahoma; font-size: 10px;' >This is an automatically generated email, please do not reply.<br />&nbsp;<br /></span></html>

Try {
    $Conn = New-Object System.Net.Sockets.TcpClient($WebsiteURL,$WebsitePort) 
    Try {
        $Stream = New-Object System.Net.Security.SslStream($Conn.GetStream())
        $Cert = $Stream.Get_RemoteCertificate()

        $ValidTo = [datetime]::Parse($Cert.GetExpirationDatestring())
        Write-Host "`nConnection Successfull" -ForegroundColor DarkGreen
        Write-Host "Website: $WebsiteURL"

        $ValidDays = $($ValidTo - [datetime]::Now).Days

        if ($ValidDays -lt $Threshold)
        Write-Host "`nStatus: Warning (Expires in $ValidDays days)" -ForegroundColor Yellow
        Write-Host "CertExpiration: $ValidTo`n" -ForegroundColor Yellow
        Send-MailMessage -To $MailTo -Subject $MailSubject -From $MailFrom -SmtpServer $SmtpServer -Priority High -BodyAsHtml $MailBody
        Write-Host "`nStatus: OK" -ForegroundColor DarkGreen
        Write-Host "CertExpiration: $ValidTo`n" -ForegroundColor DarkGreen
    Catch { Throw $_ }
    Finally { $Conn.close() }
    Catch {
            Write-Host "`nError occurred connecting to $($WebsiteURL)" -ForegroundColor Yellow
            Write-Host "Website: $WebsiteURL"
            Write-Host "Status:" $_.exception.innerexception.message -ForegroundColor Yellow
            Write-Host ""

Has to be scheduled, each day for example (obviously less the threshold!).

Leave a Reply

Scroll to Top