Add certificate expiration checkscript
This commit is contained in:
138
Check_scripts/Win - Certificate expiration.ps1
Normal file
138
Check_scripts/Win - Certificate expiration.ps1
Normal file
@@ -0,0 +1,138 @@
|
||||
<#
|
||||
.SYNOPSIS
|
||||
Check all installed certificates on the system and thier expiration dates.
|
||||
|
||||
.DESCRIPTION
|
||||
This script will Check all installed certificates on the system and thier expiration dates,
|
||||
This script should be deployed as a Check Script.
|
||||
|
||||
.OUTPUTS
|
||||
Errorcodes:
|
||||
0 - All OK
|
||||
1 - There is a certificate that needs attention, with the error message
|
||||
2 - There is a certificate about to expire with x amount (specify the days)
|
||||
|
||||
.EXAMPLE
|
||||
Check_scripts/Win - Certificate expiration.ps1
|
||||
|
||||
# the following is used to return an warning 90 days before a certificate is about to expire
|
||||
Check_scripts/Win - Certificate expiration.ps1 90
|
||||
|
||||
.NOTES
|
||||
Author: D.de Kooker <info@dcomputers.nl>
|
||||
Source: n/a
|
||||
|
||||
.CHANGELOG
|
||||
17-09-2023 - Initial script.
|
||||
#>
|
||||
param (
|
||||
[int]$WarningDays = 31
|
||||
)
|
||||
|
||||
# Function to check certificates and return the status message
|
||||
function Get-CertificateStatus($certificate) {
|
||||
$subject = $certificate.Subject
|
||||
$expirationDate = $certificate.NotAfter
|
||||
|
||||
$currentDate = Get-Date
|
||||
$thresholdDate = $currentDate.AddDays($WarningDays)
|
||||
|
||||
if ($expirationDate -lt $currentDate) {
|
||||
return "Certificate for $subject has already expired on $expirationDate"
|
||||
} elseif ($expirationDate -lt $thresholdDate) {
|
||||
return "Certificate for $subject is expiring on $expirationDate (Less than $WarningDays days remaining)"
|
||||
} else {
|
||||
return "All certificates are valid"
|
||||
}
|
||||
}
|
||||
|
||||
# Check all machine certificates from the 'My' certificate store (LocalMachine\My)
|
||||
$machineCertificates = Get-ChildItem -Path Cert:\LocalMachine\My
|
||||
|
||||
# Check all user certificates from the 'My' certificate store (CurrentUser\My)
|
||||
$userCertificates = Get-ChildItem -Path Cert:\CurrentUser\My
|
||||
|
||||
# Check if the 'LocalMachine\WebHosting' certificate store exists
|
||||
if (Test-Path Cert:\LocalMachine\WebHosting) {
|
||||
# Check certificates from 'LocalMachine\WebHosting'
|
||||
$webHostingCertificates = Get-ChildItem -Path Cert:\LocalMachine\WebHosting
|
||||
} else {
|
||||
$webHostingCertificates = @()
|
||||
}
|
||||
|
||||
# Initialize a flag to track whether all certificates are valid
|
||||
$allCertificatesValid = $true
|
||||
|
||||
# Initialize a flag to track whether expired certificates are found
|
||||
$expiredCertificatesFound = $false
|
||||
|
||||
# Initialize a flag to track whether certificates are about to expire
|
||||
$certificatesAboutToExpireFound = $false
|
||||
|
||||
# Collect certificate status messages in an array
|
||||
$certificateStatusMessages = @()
|
||||
|
||||
# Check machine certificates
|
||||
foreach ($cert in $machineCertificates) {
|
||||
$status = Get-CertificateStatus $cert
|
||||
if ($status -ne "All certificates are valid") {
|
||||
$certificateStatusMessages += $status
|
||||
$allCertificatesValid = $false
|
||||
if ($status -like "*expired*") {
|
||||
$expiredCertificatesFound = $true
|
||||
} elseif ($status -like "*expiring*") {
|
||||
$certificatesAboutToExpireFound = $true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Check user certificates
|
||||
foreach ($cert in $userCertificates) {
|
||||
$status = Get-CertificateStatus $cert
|
||||
if ($status -ne "All certificates are valid") {
|
||||
$certificateStatusMessages += $status
|
||||
$allCertificatesValid = $false
|
||||
if ($status -like "*expired*") {
|
||||
$expiredCertificatesFound = $true
|
||||
} elseif ($status -like "*expiring*") {
|
||||
$certificatesAboutToExpireFound = $true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Check web hosting certificates if the store exists
|
||||
if ($webHostingCertificates.Count -gt 0) {
|
||||
foreach ($cert in $webHostingCertificates) {
|
||||
$status = Get-CertificateStatus $cert
|
||||
if ($status -ne "All certificates are valid") {
|
||||
$certificateStatusMessages += $status
|
||||
$allCertificatesValid = $false
|
||||
if ($status -like "*expired*") {
|
||||
$expiredCertificatesFound = $true
|
||||
} elseif ($status -like "*expiring*") {
|
||||
$certificatesAboutToExpireFound = $true
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$certificateStatusMessages += "The 'LocalMachine\WebHosting' certificate store does not exist or is empty."
|
||||
}
|
||||
|
||||
# Display certificate status messages
|
||||
$certificateStatusMessages | ForEach-Object { Write-Host $_ }
|
||||
|
||||
# Display "All certificates are valid" and exit with status code 0 if the flag is still true
|
||||
if ($allCertificatesValid) {
|
||||
Write-Host "All certificates are valid"
|
||||
exit 0
|
||||
}
|
||||
|
||||
# Exit with status code 1 if expired certificates are found
|
||||
if ($expiredCertificatesFound) {
|
||||
exit 1
|
||||
}
|
||||
|
||||
# Exit with status code 2 if certificates are about to expire
|
||||
if ($certificatesAboutToExpireFound) {
|
||||
exit 2
|
||||
}
|
||||
Reference in New Issue
Block a user