Del via


How to Check certificate expiry for webserver (IIS) certificates using script

Although the title says webserver certificates the script is not limited to webserver certificates only.

This script is useful for admins to check expiry dates of server certificates and be prepared to renew or change them. In case if you have ideas of using this in your server environment and you need help in tweaking this script do let me know.

Please copy & paste script below into a file called "CertExpiryCheck.vbs" and run the script from command line like

C:\> cscript certexpirycheck.vbs [SubjectName]

 

C:\> cscript certexpirycheck.vbs sukak

CertExpirycheck

* here "sukak" is subject name which usually would be your domain name (FQDN)
* Issued by also shows "sukak" in my case since the test was done using self issued certificate created using selfSSL.exe

 

 '**************************************************
'* CertExpiryCheck.vbs
'* Enumerate certificates with day left for expiry 
'**************************************************

Option Explicit
Dim SubjectName
If WScript.Arguments.Count > 0 Then
    SubjectName = LCase(WScript.Arguments(0))
Else
    CommandUsage
End If

Dim Store, Certificates, Certificate
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1        
Const CAPICOM_STORE_OPEN_READ_ONLY = 0

Set Store = CreateObject("CAPICOM.Store")
Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
Set Certificates = Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName, 0)

If Certificates.Count >0 Then
   For Each Certificate in Certificates
    'Certificate.display()    'If you want to see the Cert in UI
    WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
    WScript.Echo "Issued by " & Certificate.IssuerName 
    WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " & Certificate.ValidToDate 
    WScript.Echo "Days to expiry " & DateDiff("d",now(),Certificate.ValidToDate)
    WScript.Echo 
   Next
 Else
  WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
End If

Set Certificates = Nothing
Set Store = Nothing

Sub CommandUsage
  MsgBox "Usage: CertExpiryCheck.vbs  [SubjectName] ", vbInformation,"CertExpiryCheck"
  WScript.Quit(1)
End Sub

 

Just keep in mind you need capicom.dll to use this script. This comes default on Windows 2003 (I guess) but might need to be downloaded and registered on other platforms like Vista. Use regsvr32 capicom.dll to register it first before using the script.

Comments

  • Anonymous
    September 12, 2007
    PingBack from http://msdnrss.thecoderblogs.com/2007/09/13/how-to-check-certificate-expiry-for-webserver-iis-certificates-using-script/

  • Anonymous
    September 12, 2007
    WOW. This is a handy stuff for us as we are having 80+ server. Could you please add these two functionality in this ? a) Send  email if certificate is about to expire in <10 days b) Passing List Server /reading servername from txt file. Thanks. Regards, Shambhu

  • Anonymous
    December 26, 2007
    Hi This is a wonderful program. But can it be modified to read a URL and collect the same details. Thanks Antonio Xavier antonio_xavier@rediffmail.com

  • Anonymous
    December 26, 2007
    The comment has been removed

  • Anonymous
    March 01, 2008
    Is there a way to remotely check certificate info?  I want to run a script from computer A to check the subject of multiple remote computers.

  • Anonymous
    March 01, 2008
    What is the actual scenario you are looking for? You mentioned multiple remote computers, are you talking about multiple webservers because each of them can have 'n' number of SSL websites... Check this sample I wrote and see if it helps... If not explain a bit more what you are looking for http://www.awesomeideas.net/page/Cert-Expiry-Check.aspx

  • Anonymous
    September 16, 2008
    Hi, i'm also looking for an script with i want to check all my DC's for expired certificates from my pc. I tried your script/tool but it can only look into the local store. Can you help? Thanks

  • Anonymous
    October 14, 2008
    I need to check other servers than just the one PC the script is running from, any ideas? The idea is to have this script running on one server, and let it check x number of other servers, not having the script running on each individual server...

  • Anonymous
    February 15, 2009
    I want to validated certificate from certficate store on remote server. As I am already using capicom.dll for other functionality in my application... using capicom.dll will be preferred? Can you help/guide me on this?

  • Anonymous
    March 26, 2009
    Could you please let me know whether any port is available to reach the computer certificate like SSl port. Sajeed

  • Anonymous
    March 31, 2009
    I need to know how can I check the expiry certification for all my websites hosted on one server using the same. as we have to pass the domain name here which returns results for a particular domain. Please tell me how to do it for all at once. Thanks

  • Anonymous
    March 31, 2009
    @Sajeed, I'm not sure I understand your question. Default well defined port for HTTPS is 443. But you can configure alternate port to be used for HTTPS traffic as well. @Sunder, You can try this sample I wrote which takes a text file as input where you can specify all the domain names for the websites which has SSL enabled http://www.awesomeideas.net/page/Cert-Expiry-Check.aspx

  • Anonymous
    March 31, 2009
    @Dolly, Capicom does not have the ability to do stuff on remote server. But it's possible to do what you are asking. If I get time I'll try to provide a sample in future.

  • Anonymous
    June 08, 2009
    The comment has been removed

  • Anonymous
    June 09, 2009
    Maybe your capicom.dll is not registered try the following command from cmd prompt! regsvr32 compicom.dll

  • Anonymous
    July 06, 2009
    This is nice to hear that we have solution but I need to know how can I monitor the server certificates? I already have a solution to monitor all the WEB URLs using its SSL port i.e. 443. But I don't know how server certificates communicates each other. If I know the port details for Server Certificate, then I can apply the same solution. Anyway I don't see it is communicating using 443 port. Please help.

  • Anonymous
    August 25, 2009
    Hi, We are using Orion(Solarwinds) Application Performance Monitor and im trying to find a script that can remotely check target urls and verify how many days are left until expiry. I notice in the previous posts that there was talk of some work being done on something similar however the link to the possible script is unavailable. Regards Miron

  • Anonymous
    August 25, 2009
    Miron, Thanks for the interest in the feature. I'm in the process of writing simple console app in C# for this since I have recieved lots of request for this feature. If I get to finish it soon I'll post it. Send me an email so that I can update you. (sukesh at awesomeideas dot net)

  • Anonymous
    October 02, 2009
    Hi Sukesh, Thanks you for the script. I have a situation where I want to validate if all the clients in my environment have a valid certificate and if not kick off renewal for the same. How can I achieve that by customizing your script?

  • Anonymous
    February 10, 2010
    Hi Sukesh, I am unable to gather the information of Remote servers certificate information using CertExpiryCheck tool. However it works fine for the local machine. For remote servers, I am getting the following error message. Certificate for `Remote-Server' not found. Please advise. Best Regards,

  • Anonymous
    July 06, 2010
    The code is meant to be used only for local machines. capicom doesn't support connection to remote certificate store...