Find Expiring Certificates Using PowerShell – One-Liner and a Script

  • Article

This code is not really complicated at all.  Just the same it can come in very handy, and some folks have never played with the Certificate provider.  I have provided a one-liner version of this code, and a script version.  They are basically the same, but certainly the script one is considerably more verbose and easy to read.

A note for the advanced:  I have not yet been able to figure out if there is a way that you can construct the .Net objects that are instantiated here, but bind them to certificates on remote machines.  When I looked at the MSDN documentation for this, I don't see a constructor for a remote machine.  I still suspect there is a way to do, I just don't know it right now.  If anyone knows it, contact me and I will be happy to write another post explaining how to use it…once I figure it out :)

One-liner:

get-childitem cert:\LocalMachine -Recurse | where-object {$_.hasprivatekey -and $_.notafter -gt ((get-date).AddDays(-30)) -and $_.notafter -lt ((get-date).AddMonths(2))} | Sort-Object notafter | format-table subject,friendlyname,notafter -Autosize

Script:

# Script to Find Certs Expiring Soon

# Written by: Gary Siepser, Microsoft

# Variable Pre-Sets Section

   

    # Modify the varibale below to control how far into the future this script looks into the future

    $FutureDays = 60

   

    # Modify the variable below to control how far into the past we look for expired certificates

    # Use a negative number for the past and 0 for now

    $PastDays = -30

# Main Code body below

    # Set up a variable with a datetime object representing right now

    $now = Get-Date

    # Calculate a new datetime object that represents the past

  $Past = $now.AddDays($PastDays)

    # Calculate a new Datetime object that represents the future

    $Future = $now.AddDays($FutureDays)

    # Create an array of all the certificates on the local system

    $certs = get-childitem cert: -Recurse

    # Filter the cert list down to only those that we have a private key, this ignores the hundreds

    # of preinstalled certs on a machine for the internet wide PKI

    $certswithKey = $certs | Where-Object{$_.HasPrivateKey}

    # Filter the filterd list down to those whose expiration date falls within the desired range

    $expiringcerts = $certswithKey | Where-Object {$_.notafter -ge $Past -and $_.notafter -le $future}

# End Main Code Body

#The line below simply presents the filtered list. You can alter this as you see fit

$expiringcerts | sort-object notafter | Format-Table subject,friendlyname,notafter -AutoSize

Like all my posts, this is just a demonstration sample.  I hope some folks out there find this useful.

-Gary

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at https://www.microsoft.com/info/cpyright.htm.