Q: How-to monitor if a SSL certificate expiration date is coming?
A: We can wait for the alert email from the SSL certificate provider. And -WhatIf! Yes, what if the registered email no longer exists, or for any reason you don’t receive the alert? And what about one of my main rules: if you want it done right, you’ve got to do it yourself!?
So let’s do it ourselves! There’s many examples on how to check a SSL certificate validity and especially SSL certificate expiration date. But most of all checks the certificate store through the PS-drive ‘CERT:\’; that could be good enough, but it’s not the way I wanted… I want to get the certificate(s) from a central monitoring server through a webrequest.

Ok, here we are:


Check-SSL.ps1 - Gets SSL certificate expiration date
Check-SSL.ps1 - Gets SSL certificate expiration date and send an email alert if a defined threshold is exceeded.
Defines the URL of the SSL certificate to check
Mandatory parameter
No default value.
.PARAMETER WebsitePort
Defines the website port of the SSL certificate to check
Default is 443.
Defines the CommonName (CN) of the SSL certificate to check
Default is the value of the WebsiteURL parameter.
.PARAMETER Threshold
Defines the threshold (in days). If the SSL certificate expiration date exceeded the threshold, an email alert is sent.
Default is 15.
File Name   : Check-SSL.ps1
Author      : Fabrice ZERROUKI -
PS D:\> .\Check-SSL.ps1 -WebsiteURL -Threshold 30
Performs a check of the expiration date for the SSL certificate that secures the website If the certificate expires in less than 30 days, an email alert is sent.
[Parameter(Mandatory=$true,HelpMessage="IP address or hostname to check")][string]$WebsiteURL,
[Parameter(HelpMessage="TCP port number that SSL application is listening on")][int]$WebsitePort=443,
[Parameter(HelpMessage="CommonName (CN) on certificate")][string]$CommonName=$WebsiteURL,
[Parameter(HelpMessage="The number of days after which an alert should be sent.")][int]$Threshold=15

$MailSubject="$WebsiteURL - SSL certificate will expire in $ValidDays days"
<html><span style='font-family: Tahoma; font-size: 12px;' >Hi,<br />
<br />
the SSL certificate for the website "$WebsiteURL" will expire in $ValidDays days. You should conserder renewing it.<br />
<br />
----------------------------------------------------------------------------</span><br />
<span style='font-family: Tahoma; font-size: 10px;' >This is an automatically generated email, please do not reply.<br />&nbsp;<br /></span></html>

Try {
$Conn = New-Object System.Net.Sockets.TcpClient($WebsiteURL,$WebsitePort)

Try {
$Stream = New-Object System.Net.Security.SslStream($Conn.GetStream())

$Cert = $Stream.Get_RemoteCertificate()

$ValidTo = [datetime]::Parse($Cert.GetExpirationDatestring())

Write-Host "`nConnection Successfull" -ForegroundColor DarkGreen
Write-Host "Website: $WebsiteURL"

$ValidDays = $($ValidTo - [datetime]::Now).Days

if ($ValidDays -lt $Threshold)
Write-Host "`nStatus: Warning (Expires in $ValidDays days)" -ForegroundColor Yellow
Write-Host "CertExpiration: $ValidTo`n" -ForegroundColor Yellow
Send-MailMessage -To $MailTo -Subject $MailSubject -From $MailFrom -SmtpServer $SmtpServer -Priority High -BodyAsHtml $MailBody
Write-Host "`nStatus: OK" -ForegroundColor DarkGreen
Write-Host "CertExpiration: $ValidTo`n" -ForegroundColor DarkGreen
Catch { Throw $_ }
Finally { $Conn.close() }
Catch {
Write-Host "`nError occurred connecting to $($WebsiteURL)" -ForegroundColor Yellow
Write-Host "Website: $WebsiteURL"
Write-Host "Status:" $_.exception.innerexception.message -ForegroundColor Yellow
Write-Host ""

Has to be scheduled, each day for example (obviously less the threshold!).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top