PowerShell to get remote website’s SSL certificate expiration

I recently needed to put together a PowerShell script that would check the expiration of some external and internal certificates for my company and let me know when they are close to expiring. Since some of the hosts were IP addresses, and some certs were not trusted by the machine running the check, I had to have a way to disable certificate chain validation (equivalent to the curl option -k). There are many ways to get web content in PowerShell, and some are more flexible than others… After some poking around, I put together the script below, combining examples from this post and this post.

$minimumCertAgeDays = 60
$timeoutMilliseconds = 10000
$urls = @(
) #disabling the cert validation check. This is what makes this whole thing work with invalid certs...
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} foreach ($url in $urls)
Write-Host Checking $url -f Green
$req = [Net.HttpWebRequest]::Create($url)
$req.Timeout = $timeoutMilliseconds try {$req.GetResponse() |Out-Null} catch {Write-Host Exception while checking URL $url`: $_ -f Red} [datetime]$expiration = $req.ServicePoint.Certificate.GetExpirationDateString()
[int]$certExpiresIn = ($expiration - $(get-date)).Days $certName = $req.ServicePoint.Certificate.GetName()
$certPublicKeyString = $req.ServicePoint.Certificate.GetPublicKeyString()
$certSerialNumber = $req.ServicePoint.Certificate.GetSerialNumberString()
$certThumbprint = $req.ServicePoint.Certificate.GetCertHashString()
$certEffectiveDate = $req.ServicePoint.Certificate.GetEffectiveDateString()
$certIssuer = $req.ServicePoint.Certificate.GetIssuerName() if ($certExpiresIn -gt $minimumCertAgeDays)
{Write-Host Cert for site $url expires in $certExpiresIn days [on $expiration] -f Green}
{Write-Host Cert for site $url expires in $certExpiresIn days [on $expiration] Threshold is $minimumCertAgeDays days. Check details:`n`nCert name: $certName`nCert public key: $certPublicKeyString`nCert serial number: $certSerialNumber`nCert thumbprint: $certThumbprint`nCert effective date: $certEffectiveDate`nCert issuer: $certIssuer -f Red} rv req
rv expiration
rv certExpiresIn

Hope it saves someone some time… 🙂


16 Responses to “PowerShell to get remote website’s SSL certificate expiration”

  1. Great script. Thanks. For range use
    $urls=@();$a=”https://192.168.12.”;for($i=1;$i -le 255;$i++){$urls+=($a+$i)}

  2. Kristen Says:

    How would you get the parent certificates?

    • The $req object (and in particular $req.ServicePoint.Certificate) contains some data about the cert issuer, although it is rather limited. I have a feeling you may be looking for something different, possibly what is posted here. Let me know if that was not what you meant, I will try to help.

  3. Thanks! Very useful except that I get an error when it comes to pages requiring proxy.

    Checking https://www.yahoo.com
    Exception while checking URL https://www.yahoo.com: Exception calling “GetResponse” with “0” argument(s): “The remote se
    rver returned an error: (407) Proxy Authentication Required.”

    Do you have a workaround to make your script work through proxy?

    • You can add credentials to the $req object, right below the “$req.Timeout = $timeoutMilliseconds” line, something like this:

      $req.Timeout = $timeoutMilliseconds
      $req.Credentials = new NetworkCredential($User, $Password, $Domain)

      I can’t test it, since I don’t have a proxy that I can use, but that is a pretty standard way of doing it so I don’t think you will have issues.

  4. Cannot convert value “21/08/2015 23:59:59” to type “System.DateTime”. Error: “String was not recognized as a valid DateTime.”
    At line:15 char:1

    errrrr….bummer :-\

    • I fixed your script.
      just add the following after the “$expiration” declaration:

      $a = $expiration
      $d = [datetime]::ParseExact($a, “dd/MM/yyyy HH:mm:ss”, $null)
      $expiration = $d


  5. works like a charm! Thanks so much. had to add some parsing for the date but that was all.

  6. Thanks! Works perfectly.

  7. just for the record, this does NOT work if you get any other status codes than 200 OK

  8. […] plus from every server in the Farm. The function that checks the Certificate was adapted from PowerShell to get remote website’s SSL certificate expiration […]

  9. Worked great for me and saved me a lot of time. Thank you.

  10. Hey is there any way to sort this by expiration date if I have multiple websites, I’m running this against?

    • You could put each entry into a custom ps object and then sort it that way. Should be easy to find code snippets on the web for that.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: