![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(115.19999999999999, 92%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hi Peter Stieber,
No, there is no direct way to get the list of SSL certificates with expiration dates via API.
Instead, you can use the below PowerShell script querying Azure Application Gateway SSL certificates using Azure Resource Graph via Search-AzGraph. It collects all application gateways, extracts the SSL certificates, decodes their base64 public certificate data, and checks which certificates expire within the specified number of days (90 by default).
Powershell:
[CmdletBinding()]
param(
[int]$ExpiresInDays = 90
)
# Ensure you have Azure ResourceGraph module installed and are connected
# Install-Module -Name Az.ResourceGraph -AllowClobber
# Connect-AzAccount
$pageSize = 100
$iteration = 0
$searchParams = @{
Query = 'where type =~ "Microsoft.Network/applicationGateways" | project id, subscriptionId, subscriptionDisplayName, resourceGroup, name, sslCertificates = properties.sslCertificates | order by id'
First = $pageSize
Include = 'displayNames'
Skip = 0
}
$results = @()
do {
$iteration++
Write-Verbose "Iteration #$iteration"
$pageResults = Search-AzGraph @searchParams
$results += $pageResults
$searchParams.Skip += $pageResults.Count
} while ($pageResults.Count -eq $pageSize)
$thresholdDate = (Get-Date).AddDays($ExpiresInDays)
$expiringCerts = foreach ($record in $results) {
if ($null -eq $record.sslCertificates) { continue }
foreach ($sslCertRecord in $record.sslCertificates) {
# Extract the base64 public certificate data and decode it
# Remove first 60 chars if needed - adjust if your data differs
$base64Cert = $sslCertRecord.properties.publicCertData
if ($base64Cert.Length -le 60) { continue }
$trimmedBase64 = $base64Cert.Substring(60, $base64Cert.Length - 60)
try {
$certBytes = [System.Convert]::FromBase64String($trimmedBase64)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @($certBytes)
}
catch {
Write-Warning "Failed to parse certificate for $($sslCertRecord.name) in $($record.name)"
continue
}
if ($cert.NotAfter -le $thresholdDate) {
[PSCustomObject]@{
SubscriptionId = $record.subscriptionId
SubscriptionName = $record.subscriptionDisplayName
ResourceGroup = $record.resourceGroup
ApplicationGateway = $record.name
CertificateName = $sslCertRecord.name
ExpirationDate = $cert.NotAfter
Thumbprint = $cert.Thumbprint
ImpactedListeners = @()
}
}
}
}
# Output expiring certificates
$expiringCerts | Format-Table -AutoSize
# Optionally export to CSV
# $expiringCerts | Export-Csv -Path "ExpiringAppGatewayCerts.csv" -NoTypeInformation
This script effectively gives you the list of SSL certificates on Azure Application Gateways with their expiration dates and helps you proactively manage renewals.
Please let me know if you’d like any additional edits or information included.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.