I am trying to get a working script to check for expiration of SSL certificates in IIS. There are many similar entries just getting a list of expiring installed certificates, but I need some extra logic.
I need to know all the certificates that expire in x days, which are A) currently linked to the website, and B) that the website should have the status "Started"
I have certain information collected (below), but I have problems correlating them, so they give me only the outdated certificates that I need. To add to the complexity, I can’t just search for the CN site name in the certificate subject because many hundreds of certificates are installed, and often for 1 or more older certificates for the same site it still remains to be installed. Having said that, they have one topic. I will need to compare the fingerprints, but getting the fingerprint by simply specifying the name of the site will be difficult.
Some of the code for collecting various relevant details is as follows:
ActiveSites = get-website | where {$_.State -eq "Started"}
$DaysToExpiration = 7
$InstalledCerts = gci cert:\localmachine\my
$ExpiringCerts = $InstalledCerts | Where {(($_.NotAfter - (Get-Date)).Days) -lt $DaysToExpiration}
source
share