Script: New-ExpiringCertificatesReminder.ps1 – Receive a Reminder When Certificates Have Expired/Are Expiring
Sometimes we’re so deep in projects or putting out fires that some things just get forgotten, or we don’t get that far down the “to-do” list. Some of those things aren’t that big of a deal and don’t impact users. Other tasks can have drastic impact. Such as forgetting to renew your server certificates. It’s true that some services like the phenomenal Digicert will remind-you-to-death about certs that are expiring. But not all services do that, or they do it once and are forgotten. Other certs, like internal certs, don’t generate a reminder – and some environments don’t allow, or aren’t configured to automatically renew internal certificates. So this lazy, forgetful guy decided to do something about that. A script was born.
This script monitors certificates in the Local Machine store on the local server, and sends a reminder when a cert is expiring soon, or has already expired. An example is shown below.
Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.
Download the script and ImageFiles.zip files from the DOWNLOAD section below. Copy the image files to a location available to all users who will receive the reminder email. I suggest a web server with public access. NOTE: These images are the SAME files and names as the ones for New-PasswordReminder.ps1, so you can use the same path if you use both scripts.
Open the script in a text editor and edit the variables in the param block to suit your needs. At a bare minimum, you need to adjust:
- $Company – this should be your company name
- $PSEmailServer – this is the email server the script will send the emails to
- $EmailFrom – this is the SMTP address that the emails will come FROM
- $EmailTo – set this to the SMTP address of the user/distribution group that should receive the reminder emails
- $HelpDeskPhone – if not empty, this appears in the email message
- $HelpDeskURL – if not empty, should be a URL to a web version of the email. If blank, the “If this email does not appear…” and “This email was sent by…” lines shown in the above example are not included.
- $ImagePath – where the images are stored. This should be publicly reachable for users checking email from mobile devices and web clients
optionally, adjust $threshold from the default 15 to indicate how many days in advance the script should start reminding about an expiring certificate.
Save the script.
If you don’t already have a Receive Connector in Exchange to allow PowerShell scripts to send email, create one using the information at Creating A Receive Connector To Use For Sending Email From PowerShell.
If you have certs that are already expired, or are expiring soon, you can manually run the script to test. To do that, open PowerShell and type
Once everything is done, you can run the script in Install mode:
and the script will prompt for the user password, then automatically create a scheduled task on the local server to run every day at 7:30am. You can open the Scheduled Tasks GUI and adjust parameters as needed, but I’ve found the defaults to be fine.
Repeat on any other servers you’d like to monitor.
v1.2 – 01-27-2014 – New-ExpiringCertificatesReminder.v1.2.zip
v1.0 – 09-14-2012 – New-ExpiringCertificatesReminder.v1.0.zip
ScriptImages.zip – these are the images specified in the emails
See the changelog for information on what’s changed/included in each version.