How to identify Certificates that will expire (in N days) or have expired

Posted on 2011-05-06
Last Modified: 2012-05-11

I am looking for a way to query for when certificates on Microsoft Server will expire (in 'N' days) or have expired. I attempted using 'certutil' but didn’t have any luck. Is there a way to do this in SQL or the registry?

Thanks in advance!
Question by:Charlie_Melega
    LVL 31

    Expert Comment

    by:James Murrell
    Not a ideal way, but when we purchase them we put them in the group calendar so we cann all see when... I know this is not ideal but it does work
    LVL 76

    Expert Comment

    You can script it to get the certificate and then use openssl to verify/extract the information you want. Something as referenced in might get you on the way.

    http:#a35712699 is the best way to track and simple to manage from the begining. and this way you can also have a process that notifies you.
    If these are commercial SSL certificates, the vendor will likely notify you that the certificates are up for renewal (if they care about repeat business).
    LVL 39

    Expert Comment

    If you happen to be using icinga or nagios the check_tcp plugin will tell you this.

    The plugins can also be used as a standalone.
    LVL 11

    Accepted Solution

    A little PowerShell script that let's you know about expired certificates or the ones that will expire in the next 60 days:
    $date=Get-Date; Get-ChildItem cert:\LocalMachine -Recurse | Select-Object PSPath, Subject, NotAfter | Where-Object {$_.NotAfter -lt $date.AddDays(60)} | Format-List Subject, PSPath, NotAfter

    Open in new window


    Author Comment

    Hello marek1712,

    Thanks for the Powershell script suggestion. I think this would be the nest way for me to go. However, when I ran the Powershell script, it looks like I received a syntax error as shown in the attached graphic:

    LVL 11

    Expert Comment

    Now THAT is strange as it's working under my Win7...
    I don't know why it's bugging you ith ":". You could try removing the semicolon and place Get-ChildItem and the rest in the second line (I know it's not that sign...). Did you try to launch it in Powershell ISE?

    Author Comment

    Yup, removing the semicolon and moving everything, starting with Get-ChildItem, to the next line worked nicely.

    Thanks again, nice work!
    LVL 11

    Expert Comment

    No problem :)

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
    David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now