Add certificate expiration checkscript
This commit is contained in:
138
Check_scripts/Win - Certificate expiration.ps1
Normal file
138
Check_scripts/Win - Certificate expiration.ps1
Normal file
@@ -0,0 +1,138 @@
|
|||||||
|
<#
|
||||||
|
.SYNOPSIS
|
||||||
|
Check all installed certificates on the system and thier expiration dates.
|
||||||
|
|
||||||
|
.DESCRIPTION
|
||||||
|
This script will Check all installed certificates on the system and thier expiration dates,
|
||||||
|
This script should be deployed as a Check Script.
|
||||||
|
|
||||||
|
.OUTPUTS
|
||||||
|
Errorcodes:
|
||||||
|
0 - All OK
|
||||||
|
1 - There is a certificate that needs attention, with the error message
|
||||||
|
2 - There is a certificate about to expire with x amount (specify the days)
|
||||||
|
|
||||||
|
.EXAMPLE
|
||||||
|
Check_scripts/Win - Certificate expiration.ps1
|
||||||
|
|
||||||
|
# the following is used to return an warning 90 days before a certificate is about to expire
|
||||||
|
Check_scripts/Win - Certificate expiration.ps1 90
|
||||||
|
|
||||||
|
.NOTES
|
||||||
|
Author: D.de Kooker <info@dcomputers.nl>
|
||||||
|
Source: n/a
|
||||||
|
|
||||||
|
.CHANGELOG
|
||||||
|
17-09-2023 - Initial script.
|
||||||
|
#>
|
||||||
|
param (
|
||||||
|
[int]$WarningDays = 31
|
||||||
|
)
|
||||||
|
|
||||||
|
# Function to check certificates and return the status message
|
||||||
|
function Get-CertificateStatus($certificate) {
|
||||||
|
$subject = $certificate.Subject
|
||||||
|
$expirationDate = $certificate.NotAfter
|
||||||
|
|
||||||
|
$currentDate = Get-Date
|
||||||
|
$thresholdDate = $currentDate.AddDays($WarningDays)
|
||||||
|
|
||||||
|
if ($expirationDate -lt $currentDate) {
|
||||||
|
return "Certificate for $subject has already expired on $expirationDate"
|
||||||
|
} elseif ($expirationDate -lt $thresholdDate) {
|
||||||
|
return "Certificate for $subject is expiring on $expirationDate (Less than $WarningDays days remaining)"
|
||||||
|
} else {
|
||||||
|
return "All certificates are valid"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check all machine certificates from the 'My' certificate store (LocalMachine\My)
|
||||||
|
$machineCertificates = Get-ChildItem -Path Cert:\LocalMachine\My
|
||||||
|
|
||||||
|
# Check all user certificates from the 'My' certificate store (CurrentUser\My)
|
||||||
|
$userCertificates = Get-ChildItem -Path Cert:\CurrentUser\My
|
||||||
|
|
||||||
|
# Check if the 'LocalMachine\WebHosting' certificate store exists
|
||||||
|
if (Test-Path Cert:\LocalMachine\WebHosting) {
|
||||||
|
# Check certificates from 'LocalMachine\WebHosting'
|
||||||
|
$webHostingCertificates = Get-ChildItem -Path Cert:\LocalMachine\WebHosting
|
||||||
|
} else {
|
||||||
|
$webHostingCertificates = @()
|
||||||
|
}
|
||||||
|
|
||||||
|
# Initialize a flag to track whether all certificates are valid
|
||||||
|
$allCertificatesValid = $true
|
||||||
|
|
||||||
|
# Initialize a flag to track whether expired certificates are found
|
||||||
|
$expiredCertificatesFound = $false
|
||||||
|
|
||||||
|
# Initialize a flag to track whether certificates are about to expire
|
||||||
|
$certificatesAboutToExpireFound = $false
|
||||||
|
|
||||||
|
# Collect certificate status messages in an array
|
||||||
|
$certificateStatusMessages = @()
|
||||||
|
|
||||||
|
# Check machine certificates
|
||||||
|
foreach ($cert in $machineCertificates) {
|
||||||
|
$status = Get-CertificateStatus $cert
|
||||||
|
if ($status -ne "All certificates are valid") {
|
||||||
|
$certificateStatusMessages += $status
|
||||||
|
$allCertificatesValid = $false
|
||||||
|
if ($status -like "*expired*") {
|
||||||
|
$expiredCertificatesFound = $true
|
||||||
|
} elseif ($status -like "*expiring*") {
|
||||||
|
$certificatesAboutToExpireFound = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check user certificates
|
||||||
|
foreach ($cert in $userCertificates) {
|
||||||
|
$status = Get-CertificateStatus $cert
|
||||||
|
if ($status -ne "All certificates are valid") {
|
||||||
|
$certificateStatusMessages += $status
|
||||||
|
$allCertificatesValid = $false
|
||||||
|
if ($status -like "*expired*") {
|
||||||
|
$expiredCertificatesFound = $true
|
||||||
|
} elseif ($status -like "*expiring*") {
|
||||||
|
$certificatesAboutToExpireFound = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check web hosting certificates if the store exists
|
||||||
|
if ($webHostingCertificates.Count -gt 0) {
|
||||||
|
foreach ($cert in $webHostingCertificates) {
|
||||||
|
$status = Get-CertificateStatus $cert
|
||||||
|
if ($status -ne "All certificates are valid") {
|
||||||
|
$certificateStatusMessages += $status
|
||||||
|
$allCertificatesValid = $false
|
||||||
|
if ($status -like "*expired*") {
|
||||||
|
$expiredCertificatesFound = $true
|
||||||
|
} elseif ($status -like "*expiring*") {
|
||||||
|
$certificatesAboutToExpireFound = $true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$certificateStatusMessages += "The 'LocalMachine\WebHosting' certificate store does not exist or is empty."
|
||||||
|
}
|
||||||
|
|
||||||
|
# Display certificate status messages
|
||||||
|
$certificateStatusMessages | ForEach-Object { Write-Host $_ }
|
||||||
|
|
||||||
|
# Display "All certificates are valid" and exit with status code 0 if the flag is still true
|
||||||
|
if ($allCertificatesValid) {
|
||||||
|
Write-Host "All certificates are valid"
|
||||||
|
exit 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# Exit with status code 1 if expired certificates are found
|
||||||
|
if ($expiredCertificatesFound) {
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Exit with status code 2 if certificates are about to expire
|
||||||
|
if ($certificatesAboutToExpireFound) {
|
||||||
|
exit 2
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user