Home/Toolchest

Certificate expiration scanner

A read-only certificate inventory for finding expiring Windows certificate-store items and endpoint certificates before outages.

Good For

  • certificate renewals
  • TLS outage prevention
  • IIS prep
  • maintenance planning
  • security review

How to Use It

  1. Choose a review window, such as 30, 45, or 60 days, based on renewal lead time.
  2. Scan local machine certificate stores for expiring certificates and record subject, thumbprint, expiration, and private-key presence.
  3. If endpoint checks are used, test only known service endpoints and record the certificate presented over TLS.
  4. Compare expiring certificates against IIS bindings, load balancers, app gateways, VPN portals, and vendor appliances.
  5. If a certificate has no known owner, escalate before renewal week instead of waiting for an outage.
  6. Export findings to CSV for renewal tracking and post-renewal validation.

Execution Modes

  • local
  • remote-single-host
  • remote-host-list

Inputs and Outputs

Inputs

  • review window in days
  • CSV or TXT endpoint list
  • CSV or TXT server list
  • service owner notes

Outputs

  • verbose-console
  • csv
  • future-html-report

Command Starter

Safe to run: read-only

$Days = 45
Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.NotAfter -lt (Get-Date).AddDays($Days) } | Select-Object Subject, Thumbprint, NotAfter, HasPrivateKey
$Endpoints = @("example.com:443")
foreach ($Endpoint in $Endpoints) { $parts = $Endpoint -split ":"; $client = [Net.Sockets.TcpClient]::new($parts[0], [int]$parts[1]); $stream = [Net.Security.SslStream]::new($client.GetStream(), $false, ({ $true })); $stream.AuthenticateAsClient($parts[0]); [pscustomobject]@{ Endpoint = $Endpoint; Subject = $stream.RemoteCertificate.Subject; Expires = [datetime]$stream.RemoteCertificate.GetExpirationDateString() }; $client.Dispose() }

Validation

  • Every certificate inside the review window has owner, system, renewal path, and risk documented.
  • Post-renewal checks show the endpoint or store certificate now expires outside the review window.
  • The thumbprint in the service binding matches the renewed certificate where applicable.

Reporting

  • export expiring certificates to CSV for renewal tracking
  • include endpoint, subject, thumbprint, expiration, and owner in handoff notes
  • promote repeated use into a certificate-risk dashboard or renewal report pack

Safety Notes

  • This scanner does not renew, export, delete, or replace certificates.
  • Do not bypass normal certificate-owner approval, private-key handling, or change-control requirements.