Powershell: Query domain for expiring certificates

Certificate expirations can be a pain to manage and are often overlooked. Some people have spreadsheets, set calendar reminders or just wait until a customer complains. I used to have a Unix script that would search an entire subnet for servers with expiring certs, but it was not very robust, searching subnets can return some questionable results.

This script starts by querying active directory to get a list of computer names that match string(s) that you enter. Then powershell searches the servers for certs that are within 14 days of expiring. The script will then email you an HTML report if there are certs expiring, if not it will do nothing. This script is highly customizable, so tweak it as needed.


Script to check AD computers

for expiring certificates.

Author: Ryan Clark

Date: 4/1/13




#Import AD module

Import-Module ActiveDirectory


#Make sure computers array is empty incase script has been run
in this session before



#Fill array with computers you want to filter by this example
is computers that start with DEV and PRD

$Computers = Get-ADComputer -Filter ‘Name -like “DEV*” -or Name -like “PRD*”’ | Foreach {$_.Name}


#Count Computers

$CompNum= $Computers.count


#Set a date variable for today and two weeks ago. Change the
date in TwoWeeks to modify the expiration time

$Today = (Get-Date).ToString(yyyy/MM/dd)

$TwoWeeks= (Get-Date).AddDays(+30).ToString(yyyy/MM/dd)


#HTML Style config

$a = “<style>”

$a = $a + BODY{background-color:white;}”

$a = $a + TABLE{border-width:1px;border-style: solid;border-color: black;border-collapse: collapse;}”

$a = $a + TH{border-width:1px;padding: 5px;border-style: solid;border-color: black;background-color:#D0A9F5}”

$a = $a + TD{border-width:1px;padding: 5px;border-style: solid;border-color: black;background-color:#FAFAFA}”

$a = $a + “</style>”


#Run through each computer and check for certs within the
configured date period


Clear-content C:\Admin\CertReport.htm

while($i lt $CompNum)


Write-Host “Working on:” $Computers[$i]

#If your certs are in a different store change the Cert:\ path

$Certs = invoke-command ComputerName $Computers[$i] ScriptBlock {Get-ChildItem Cert:\LocalMachine\My}



 while($j lt $CertCount)


   if (($Certs[$j].NotAfter gt $Today) -and ($Certs[$j].NotAfter lt $TwoWeeks) )


    $Certs[$j] | ConvertTo-Html -head $a -title “Expiry Information” -property PSComputerName,Subject,NotAfter
>> C:\Admin\CertReport.htm







#Either email a report or do nothing

((Get-Content “C:\Admin\CertReport.htm”eq $Null)


“No expiring certificates. Ending script.”




 #Modify the -to field to send to another user or DL

“Expired certificates found, emailing report”

 Send-MailMessage -to me@mydomain.com -Subject
“Certificate Report” SmtpServer x.x.x.x -From myserver@domain.com -Attachments C:\Admin\CertReport.htm



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s