Find Expiring Certificates Using PowerShell – One-Liner and a Script

This code is not really complicated at all.  Just the same it can come in very handy, and some folks have never played with the Certificate provider.  I have provided a one-liner version of this code, and a script version.  They are basically the same, but certainly the script one is considerably more verbose and easy to read.

A note for the advanced:  I have not yet been able to figure out if there is a way that you can construct the .Net objects that are instantiated here, but bind them to certificates on remote machines.  When I looked at the MSDN documentation for this, I don't see a constructor for a remote machine.  I still suspect there is a way to do, I just don't know it right now.  If anyone knows it, contact me and I will be happy to write another post explaining how to use it…once I figure it out 🙂


get-childitem cert:\LocalMachine -Recurse | where-object {$_.hasprivatekey -and $_.notafter -gt ((get-date).AddDays(-30)) -and $_.notafter -lt ((get-date).AddMonths(2))} | Sort-Object notafter | format-table subject,friendlyname,notafter -Autosize


# Script to Find Certs Expiring Soon

# Written by: Gary Siepser, Microsoft


# Variable Pre-Sets Section


    # Modify the varibale below to control how far into the future this script looks into the future

    $FutureDays = 60


    # Modify the variable below to control how far into the past we look for expired certificates

    # Use a negative number for the past and 0 for now

    $PastDays = -30


# Main Code body below


    # Set up a variable with a datetime object representing right now

    $now = Get-Date

    # Calculate a new datetime object that represents the past

    $Past = $now.AddDays($PastDays)

    # Calculate a new Datetime object that represents the future

    $Future = $now.AddDays($FutureDays)

    # Create an array of all the certificates on the local system

    $certs = get-childitem cert: -Recurse

    # Filter the cert list down to only those that we have a private key, this ignores the hundreds

    # of preinstalled certs on a machine for the internet wide PKI

    $certswithKey = $certs | Where-Object{$_.HasPrivateKey}

    # Filter the filterd list down to those whose expiration date falls within the desired range

    $expiringcerts = $certswithKey | Where-Object {$_.notafter -ge $Past -and $_.notafter -le $future}


# End Main Code Body


#The line below simply presents the filtered list.  You can alter this as you see fit

$expiringcerts | sort-object notafter | Format-Table subject,friendlyname,notafter -AutoSize

Like all my posts, this is just a demonstration sample.  I hope some folks out there find this useful.


This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at

Comments (1)

  1. Hi, great oneliner. You can also use it against remote computers as descript by Ed Wilson here:, note that remote registry service must be running on local and remote machine, and the account connecting must have remote admin rights
    to read the registry correctly.

Skip to main content