You always use certificates but forget when they expire until it’s too late. In this blog post, I will show you how to use a small script when starting a PowerShell session to display certificates about to expire on your Windows system.
Goal of the script
I use self-signed certificates for App Registrations in Entra ID, for example, and those expire. That’s okay and safe, of course, but updating them before they expire is more manageable than running into errors when connecting to your environment.
How the Script works
The Script will check your local computer and user personal certificates for any certificates expiring in X days or already expired. If not specified differently using the -Days Parameter, the default days value is 14. It does that by checking the certificate’s NotAfter value, which will display the number of days left and the certificate’s details.
Using the Script
After saving the script in c:\scripts, for example, you can run the script locally on your Windows system or a particular server (But servers should have monitoring in place to check on certificates IMHO 😀 ), which will give you something like the following results with the 14-day default value:
(I removed the domain name from the Subject and a piece of the ThumbPrint for privacy reasons)
You can see that the CurrentUser certificate expired 186 days ago and that the LocalMachine certificate will expire in 0 days, which is correct because I ran this at 10-01-2025 20:50, which is less than one day 🙂 #Coincidence
You can also specify a larger value in the –Days Parameter, and I used 50 in the example below:
(I removed the domain name from the Subject and a piece of the ThumbPrint and Issuer for privacy reasons)
Adding it to your PowerShell Profile
To remind you of expiring certificates, you can add the script to your PowerShell Profile so that it checks it each time you start a PowerShell session by following these steps:
- Start a PowerShell session
- run “notepad $profile”
- Add “c:\scripts\Get-ExpiringCertificates.ps1” on a new line
- Save and quit
- Start a new PowerShell session, and it should display expired/expiring certificates or a nice green prompt like this:
Wrapping up
This is how you do a simple check on your computer or user certificates on your Windows system, and it keeps me from forgetting to renew them. Have a lovely weekend!
The script
Below are the script’s contents. Download and save it to c:\scripts\Get-ExpiringCertificates.ps1, for example.
param (
[Parameter(Mandatory = $false)][int]$Days = 14
)
#Create a list of certificates for both Computer and User Account expiring in $days
$ExperingCerts = foreach ($Certificate in (Get-ChildItem Cert:).Location ) {
foreach ($ExpiringCert in Get-ChildItem -Path "Cert:\$($Certificate)\My" | Where-Object NotAfter -LT (Get-Date).AddDays("$($Days)")) {
[PSCustomObject]@{
Store = $Certificate
DaysUntilExpired = ($ExpiringCert.NotAfter - (Get-Date)).Days
ExpirationDate = $ExpiringCert.NotAfter
Friendlyname = if ($Expiringcert.FriendlyName) { $ExperingCert.FriendlyName } else { "<None" }
Issuer = $ExpiringCert.Issuer
Subject = $Expiringcert.Subject.Split('=,')[1]
ThumbPrint = $ExpiringCert.Thumbprint
}
}
}
#Output to screen if found
if ($ExperingCerts) {
Write-Warning ("Expired/Expering Certificates found!")
$ExperingCerts | Sort-Object ExpirationDate | Format-Table -AutoSize
}
else {
Write-Host ("No expired/expiring Certificates found") -ForegroundColor Green
}
Download the script(s) from GitHub here.