Home/Toolchest

Certificate expiration scanner

A read-only certificate inventory that finds local-machine store certificates nearing expiration and captures certificates presented by known TLS endpoints for review.

Good For

  • certificate renewals
  • TLS outage prevention
  • IIS prep
  • maintenance planning
  • security review

How to Use It

  1. Choose a review window, such as 30, 45, or 60 days, based on renewal lead time.
  2. Scan local machine certificate stores for expiring certificates and record subject, thumbprint, expiration, and private-key presence.
  3. If endpoint checks are used, test only known service endpoints and record the certificate presented over TLS.
  4. Compare expiring certificates against IIS bindings, load balancers, app gateways, VPN portals, and vendor appliances.
  5. If a certificate has no known owner, escalate before renewal week instead of waiting for an outage.
  6. Export findings to CSV for renewal tracking and post-renewal validation.

Execution Modes

  • local
  • remote-single-host
  • remote-host-list

Inputs and Outputs

Inputs

  • review window in days
  • CSV or TXT endpoint list
  • CSV or TXT server list
  • service owner notes

Outputs

  • verbose-console
  • csv

Command Starter

Safe to run: read-only

# ---------------------------------------------------------------------
# Operator inputs
# ---------------------------------------------------------------------
$Days = 45
$Endpoints = @('example.com:443')
$StoreOutput = '.\certificate-store-expiration.csv'
$EndpointOutput = '.\certificate-endpoint-expiration.csv'

# ---------------------------------------------------------------------
# LocalMachine\My store inventory
# ---------------------------------------------------------------------
$StoreFindings = Get-ChildItem -Path Cert:\LocalMachine\My |
    Where-Object { $_.NotAfter -lt (Get-Date).AddDays($Days) } |
    Select-Object Subject, Thumbprint, NotAfter, HasPrivateKey

# ---------------------------------------------------------------------
# TLS endpoint inventory
# This callback accepts the presented certificate so inventory can succeed
# even when trust validation is broken. Treat this as capture, not trust approval.
# ---------------------------------------------------------------------
$EndpointFindings = foreach ($Endpoint in $Endpoints) {
    $HostName, $PortText = $Endpoint -split ':', 2
    $Port = [int]$PortText
    $Client = $null
    $Stream = $null

    try {
        $Client = [Net.Sockets.TcpClient]::new($HostName, $Port)
        $Stream = [Net.Security.SslStream]::new($Client.GetStream(), $false, ({ $true }))
        $Stream.AuthenticateAsClient($HostName)

        $PresentedCert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($Stream.RemoteCertificate)
        [pscustomobject]@{
            Endpoint   = $Endpoint
            Subject    = $PresentedCert.Subject
            Thumbprint = $PresentedCert.Thumbprint
            NotAfter   = $PresentedCert.NotAfter
            DaysLeft   = [math]::Floor(($PresentedCert.NotAfter - (Get-Date)).TotalDays)
        }
    }
    catch {
        [pscustomobject]@{
            Endpoint   = $Endpoint
            Subject    = $null
            Thumbprint = $null
            NotAfter   = $null
            DaysLeft   = $null
            Error      = $_.Exception.Message
        }
    }
    finally {
        if ($Stream) { $Stream.Dispose() }
        if ($Client) { $Client.Dispose() }
    }
}

$StoreFindings | Export-Csv -Path $StoreOutput -NoTypeInformation -Encoding UTF8
$EndpointFindings | Export-Csv -Path $EndpointOutput -NoTypeInformation -Encoding UTF8
$StoreFindings
$EndpointFindings

Validation

  • Every certificate inside the review window has owner, system, renewal path, and risk documented.
  • Post-renewal checks show the endpoint or store certificate now expires outside the review window.
  • The thumbprint in the service binding matches the renewed certificate where applicable.

Reporting

  • Export store and endpoint findings to separate CSV files for renewal tracking.
  • Capture endpoint, subject, thumbprint, expiration, and any connection error in handoff notes.
  • Promote repeated use into a certificate-risk dashboard or scheduled renewal report pack.

Safety Notes

  • This scanner does not renew, export private keys, delete, or replace certificates.
  • The TLS endpoint probe captures the presented certificate for inventory. It does not prove the certificate chain, hostname, or trust configuration is healthy.
  • Do not bypass normal certificate-owner approval, private-key handling, or change-control requirements.