From 27410db619acb83adf16da23c96d2c1deecd03aa Mon Sep 17 00:00:00 2001
From: Danny de Kooker <d.dekooker@dcomputers.nl>
Date: Sun, 17 Sep 2023 17:05:51 +0200
Subject: [PATCH] Add certificate expiration checkscript

---
 .../Win - Certificate expiration.ps1          | 138 ++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 Check_scripts/Win - Certificate expiration.ps1

diff --git a/Check_scripts/Win - Certificate expiration.ps1 b/Check_scripts/Win - Certificate expiration.ps1
new file mode 100644
index 0000000..9a57f8d
--- /dev/null
+++ b/Check_scripts/Win - Certificate expiration.ps1	
@@ -0,0 +1,138 @@
+<#
+    .SYNOPSIS
+        Check all installed certificates on the system and thier expiration dates.
+
+    .DESCRIPTION 
+        This script will Check all installed certificates on the system and thier expiration dates,
+        This script should be deployed as a Check Script. 
+
+    .OUTPUTS
+        Errorcodes: 
+        0 - All OK
+        1 - There is a certificate that needs attention, with the error message
+        2 - There is a certificate about to expire with x amount (specify the days)
+
+    .EXAMPLE
+        Check_scripts/Win - Certificate expiration.ps1
+
+        # the following is used to return an warning 90 days before a certificate is about to expire
+        Check_scripts/Win - Certificate expiration.ps1 90
+
+    .NOTES
+        Author: D.de Kooker <info@dcomputers.nl>
+        Source: n/a
+
+    .CHANGELOG
+        17-09-2023 - Initial script. 
+#>
+param (
+    [int]$WarningDays = 31
+)
+
+# Function to check certificates and return the status message
+function Get-CertificateStatus($certificate) {
+    $subject = $certificate.Subject
+    $expirationDate = $certificate.NotAfter
+
+    $currentDate = Get-Date
+    $thresholdDate = $currentDate.AddDays($WarningDays)
+
+    if ($expirationDate -lt $currentDate) {
+        return "Certificate for $subject has already expired on $expirationDate"
+    } elseif ($expirationDate -lt $thresholdDate) {
+        return "Certificate for $subject is expiring on $expirationDate (Less than $WarningDays days remaining)"
+    } else {
+        return "All certificates are valid"
+    }
+}
+
+# Check all machine certificates from the 'My' certificate store (LocalMachine\My)
+$machineCertificates = Get-ChildItem -Path Cert:\LocalMachine\My
+
+# Check all user certificates from the 'My' certificate store (CurrentUser\My)
+$userCertificates = Get-ChildItem -Path Cert:\CurrentUser\My
+
+# Check if the 'LocalMachine\WebHosting' certificate store exists
+if (Test-Path Cert:\LocalMachine\WebHosting) {
+    # Check certificates from 'LocalMachine\WebHosting'
+    $webHostingCertificates = Get-ChildItem -Path Cert:\LocalMachine\WebHosting
+} else {
+    $webHostingCertificates = @()
+}
+
+# Initialize a flag to track whether all certificates are valid
+$allCertificatesValid = $true
+
+# Initialize a flag to track whether expired certificates are found
+$expiredCertificatesFound = $false
+
+# Initialize a flag to track whether certificates are about to expire
+$certificatesAboutToExpireFound = $false
+
+# Collect certificate status messages in an array
+$certificateStatusMessages = @()
+
+# Check machine certificates
+foreach ($cert in $machineCertificates) {
+    $status = Get-CertificateStatus $cert
+    if ($status -ne "All certificates are valid") {
+        $certificateStatusMessages += $status
+        $allCertificatesValid = $false
+        if ($status -like "*expired*") {
+            $expiredCertificatesFound = $true
+        } elseif ($status -like "*expiring*") {
+            $certificatesAboutToExpireFound = $true
+        }
+    }
+}
+
+# Check user certificates
+foreach ($cert in $userCertificates) {
+    $status = Get-CertificateStatus $cert
+    if ($status -ne "All certificates are valid") {
+        $certificateStatusMessages += $status
+        $allCertificatesValid = $false
+        if ($status -like "*expired*") {
+            $expiredCertificatesFound = $true
+        } elseif ($status -like "*expiring*") {
+            $certificatesAboutToExpireFound = $true
+        }
+    }
+}
+
+# Check web hosting certificates if the store exists
+if ($webHostingCertificates.Count -gt 0) {
+    foreach ($cert in $webHostingCertificates) {
+        $status = Get-CertificateStatus $cert
+        if ($status -ne "All certificates are valid") {
+            $certificateStatusMessages += $status
+            $allCertificatesValid = $false
+            if ($status -like "*expired*") {
+                $expiredCertificatesFound = $true
+            } elseif ($status -like "*expiring*") {
+                $certificatesAboutToExpireFound = $true
+            }
+        }
+    }
+} else {
+    $certificateStatusMessages += "The 'LocalMachine\WebHosting' certificate store does not exist or is empty."
+}
+
+# Display certificate status messages
+$certificateStatusMessages | ForEach-Object { Write-Host $_ }
+
+# Display "All certificates are valid" and exit with status code 0 if the flag is still true
+if ($allCertificatesValid) {
+    Write-Host "All certificates are valid"
+    exit 0
+}
+
+# Exit with status code 1 if expired certificates are found
+if ($expiredCertificatesFound) {
+    exit 1
+}
+
+# Exit with status code 2 if certificates are about to expire
+if ($certificatesAboutToExpireFound) {
+    exit 2
+}