<# .SYNOPSIS Check all installed certificates on the system and thier expiration dates. .DESCRIPTION This script will Check all installed certificates on the system and thier expiration dates, This script should be deployed as a Check Script. .OUTPUTS Errorcodes: 0 - All OK 1 - There is a certificate that needs attention, with the error message 2 - There is a certificate about to expire with x amount (specify the days) .EXAMPLE Check_scripts/Win - Certificate expiration.ps1 # the following is used to return an warning 90 days before a certificate is about to expire Check_scripts/Win - Certificate expiration.ps1 90 .NOTES Author: D.de Kooker Source: n/a .CHANGELOG 17-09-2023 - Initial script. #> param ( [int]$WarningDays = 31 ) # Function to check certificates and return the status message function Get-CertificateStatus($certificate) { $subject = $certificate.Subject $expirationDate = $certificate.NotAfter $currentDate = Get-Date $thresholdDate = $currentDate.AddDays($WarningDays) if ($expirationDate -lt $currentDate) { return "Certificate for $subject has already expired on $expirationDate" } elseif ($expirationDate -lt $thresholdDate) { return "Certificate for $subject is expiring on $expirationDate (Less than $WarningDays days remaining)" } else { return "All certificates are valid" } } # Check all machine certificates from the 'My' certificate store (LocalMachine\My) $machineCertificates = Get-ChildItem -Path Cert:\LocalMachine\My # Check all user certificates from the 'My' certificate store (CurrentUser\My) $userCertificates = Get-ChildItem -Path Cert:\CurrentUser\My # Check if the 'LocalMachine\WebHosting' certificate store exists if (Test-Path Cert:\LocalMachine\WebHosting) { # Check certificates from 'LocalMachine\WebHosting' $webHostingCertificates = Get-ChildItem -Path Cert:\LocalMachine\WebHosting } else { $webHostingCertificates = @() } # Initialize a flag to track whether all certificates are valid $allCertificatesValid = $true # Initialize a flag to track whether expired certificates are found $expiredCertificatesFound = $false # Initialize a flag to track whether certificates are about to expire $certificatesAboutToExpireFound = $false # Collect certificate status messages in an array $certificateStatusMessages = @() # Check machine certificates foreach ($cert in $machineCertificates) { $status = Get-CertificateStatus $cert if ($status -ne "All certificates are valid") { $certificateStatusMessages += $status $allCertificatesValid = $false if ($status -like "*expired*") { $expiredCertificatesFound = $true } elseif ($status -like "*expiring*") { $certificatesAboutToExpireFound = $true } } } # Check user certificates foreach ($cert in $userCertificates) { $status = Get-CertificateStatus $cert if ($status -ne "All certificates are valid") { $certificateStatusMessages += $status $allCertificatesValid = $false if ($status -like "*expired*") { $expiredCertificatesFound = $true } elseif ($status -like "*expiring*") { $certificatesAboutToExpireFound = $true } } } # Check web hosting certificates if the store exists if ($webHostingCertificates.Count -gt 0) { foreach ($cert in $webHostingCertificates) { $status = Get-CertificateStatus $cert if ($status -ne "All certificates are valid") { $certificateStatusMessages += $status $allCertificatesValid = $false if ($status -like "*expired*") { $expiredCertificatesFound = $true } elseif ($status -like "*expiring*") { $certificatesAboutToExpireFound = $true } } } } else { $certificateStatusMessages += "The 'LocalMachine\WebHosting' certificate store does not exist or is empty." } # Display certificate status messages $certificateStatusMessages | ForEach-Object { Write-Host $_ } # Display "All certificates are valid" and exit with status code 0 if the flag is still true if ($allCertificatesValid) { Write-Host "All certificates are valid" exit 0 } # Exit with status code 1 if expired certificates are found if ($expiredCertificatesFound) { exit 1 } # Exit with status code 2 if certificates are about to expire if ($certificatesAboutToExpireFound) { exit 2 }