Welcome to MSDN Blogs Sign in | Join | Help

How to Check certificate expiry for webserver (IIS) certificates using script

Although the title says webserver certificates the script is not limited to webserver certificates only.

This script is useful for admins to check expiry dates of server certificates and be prepared to renew or change them. In case if you have ideas of using this in your server environment and you need help in tweaking this script do let me know.

Please copy & paste script below into a file called "CertExpiryCheck.vbs" and run the script from command line like

C:\> cscript certexpirycheck.vbs [SubjectName]

 

C:\> cscript certexpirycheck.vbs sukak

CertExpirycheck

* here "sukak" is subject name which usually would be your domain name (FQDN)
* Issued by also shows "sukak" in my case since the test was done using self issued certificate created using selfSSL.exe

 

'**************************************************
'* CertExpiryCheck.vbs
'* Enumerate certificates with day left for expiry 
'**************************************************

Option Explicit
Dim SubjectName
If WScript.Arguments.Count > 0 Then
    SubjectName = LCase(WScript.Arguments(0))
Else
    CommandUsage
End If

Dim Store, Certificates, Certificate
Const CAPICOM_LOCAL_MACHINE_STORE = 1
Const CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME = 1        
Const CAPICOM_STORE_OPEN_READ_ONLY = 0

Set Store = CreateObject("CAPICOM.Store")
Store.Open CAPICOM_LOCAL_MACHINE_STORE, "MY" ,CAPICOM_STORE_OPEN_READ_ONLY
Set Certificates = Store.Certificates.Find(CAPICOM_CERTIFICATE_FIND_SUBJECT_NAME, SubjectName, 0)

If Certificates.Count >0 Then
   For Each Certificate in Certificates
    'Certificate.display()    'If you want to see the Cert in UI
    WScript.Echo "*** Subject " & Certificate.SubjectName & " ***"
    WScript.Echo "Issued by " & Certificate.IssuerName 
    WScript.Echo "Valid from " & Certificate.ValidFromDate & " to " & Certificate.ValidToDate 
    WScript.Echo "Days to expiry " & DateDiff("d",now(),Certificate.ValidToDate)
    WScript.Echo 
   Next
 Else
  WScript.Echo "No certificates with SubjectName => '" & SubjectName & "'"
End If

Set Certificates = Nothing
Set Store = Nothing

Sub CommandUsage
  MsgBox "Usage: CertExpiryCheck.vbs  [SubjectName] ", vbInformation,"CertExpiryCheck"
  WScript.Quit(1)
End Sub

 

Just keep in mind you need capicom.dll to use this script. This comes default on Windows 2003 (I guess) but might need to be downloaded and registered on other platforms like Vista. Use regsvr32 capicom.dll to register it first before using the script.

Published Wednesday, September 12, 2007 10:40 PM by sukeshak
Filed under: , ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

Thursday, September 13, 2007 3:52 AM by MSDN Blog Postings » How to Check certificate expiry for webserver (IIS) certificates using script

# MSDN Blog Postings » How to Check certificate expiry for webserver (IIS) certificates using script

PingBack from http://msdnrss.thecoderblogs.com/2007/09/13/how-to-check-certificate-expiry-for-webserver-iis-certificates-using-script/

Thursday, September 13, 2007 4:13 AM by Shambhu

# re: How to Check certificate expiry for webserver (IIS) certificates using script

WOW. This is a handy stuff for us as we are having 80+ server. Could you please add these two functionality in this ?

a) Send  email if certificate is about to expire in <10 days

b) Passing List Server /reading servername from txt file.

Thanks.

Regards,

Shambhu

Thursday, December 27, 2007 4:40 AM by Antonio Xavier

# re: How to Check certificate expiry for webserver (IIS) certificates using script

Hi

This is a wonderful program. But can it be modified to read a URL and collect the same details.

Thanks

Antonio Xavier

antonio_xavier@rediffmail.com

Thursday, December 27, 2007 4:51 AM by sukeshak

# re: How to Check certificate expiry for webserver (IIS) certificates using script

It can be done.

I have another command line sample being written (in .NET) with more features.

Will try to add this feature with that.

Saturday, March 01, 2008 12:48 PM by Ken

# re: How to Check certificate expiry for webserver (IIS) certificates using script

Is there a way to remotely check certificate info?  I want to run a script from computer A to check the subject of multiple remote computers.

Saturday, March 01, 2008 9:46 PM by sukeshak

# re: How to Check certificate expiry for webserver (IIS) certificates using script

What is the actual scenario you are looking for?

You mentioned multiple remote computers, are you talking about multiple webservers because each of them can have 'n' number of SSL websites...

Check this sample I wrote and see if it helps... If not explain a bit more what you are looking for

http://www.awesomeideas.net/page/Cert-Expiry-Check.aspx

Tuesday, September 16, 2008 10:08 AM by dirk.schneider@infineon.com

# re: How to Check certificate expiry for webserver (IIS) certificates using script

Hi,

i'm also looking for an script with i want to check all my DC's for expired certificates from my pc. I tried your script/tool but it can only look into the local store. Can you help?

Thanks

Tuesday, October 14, 2008 9:29 AM by Martin

# re: How to Check certificate expiry for webserver (IIS) certificates using script

I need to check other servers than just the one PC the script is running from, any ideas?

The idea is to have this script running on one server, and let it check x number of other servers, not having the script running on each individual server...

Monday, February 16, 2009 5:49 AM by Dolly

# How to get certificate from certficate store on remote server using capicom.dll

I want to validated certificate from certficate store on remote server.

As I am already using capicom.dll for other functionality in my application... using capicom.dll will be preferred?

Can you help/guide me on this?

Thursday, March 26, 2009 9:11 AM by Sajeed

# re: How to Check certificate expiry of computer certificate

Could you please let me know whether any port is available to reach the computer certificate like SSl port.

Sajeed

Wednesday, April 01, 2009 2:21 AM by Sunder Magar

# re: How to Check certificate expiry for webserver (IIS) certificates using script

I need to know how can I check the expiry certification for all my websites hosted on one server using the same. as we have to pass the domain name here which returns results for a particular domain. Please tell me how to do it for all at once.

Thanks

Wednesday, April 01, 2009 3:00 AM by sukeshak

# re: How to Check certificate expiry for webserver (IIS) certificates using script

@Sajeed,

I'm not sure I understand your question. Default well defined port for HTTPS is 443. But you can configure alternate port to be used for HTTPS traffic as well.

@Sunder,

You can try this sample I wrote which takes a text file as input where you can specify all the domain names for the websites which has SSL enabled

http://www.awesomeideas.net/page/Cert-Expiry-Check.aspx

Wednesday, April 01, 2009 3:06 AM by sukeshak

# re: How to Check certificate expiry for webserver (IIS) certificates using script

@Dolly,

Capicom does not have the ability to do stuff on remote server.

But it's possible to do what you are asking. If I get time I'll try to provide a sample in future.

Monday, June 08, 2009 12:04 PM by Perry Holloway

# re: How to Check certificate expiry for webserver (IIS) certificates using script

I getting the following error when running the script VBScript runtime error: ActiveX component can't create object: 'CAPICOM.Store'... Anyone know how to resolve this issue.  

Tuesday, June 09, 2009 10:59 AM by sukeshak

# re: How to Check certificate expiry for webserver (IIS) certificates using script

Maybe your capicom.dll is not registered

try the following command from cmd prompt!

regsvr32 compicom.dll

Tuesday, July 07, 2009 7:01 AM by Senny

# re: How to Check certificate expiry for webserver (IIS) certificates using script

This is nice to hear that we have solution but I need to know how can I monitor the server certificates?

I already have a solution to monitor all the WEB URLs using its SSL port i.e. 443. But I don't know how server certificates communicates each other. If I know the port details for Server Certificate, then I can apply the same solution. Anyway I don't see it is communicating using 443 port. Please help.

Wednesday, August 26, 2009 3:57 AM by Miron du Plessis

# re: How to Check certificate expiry for webserver (IIS) certificates using script

Hi,

We are using Orion(Solarwinds) Application Performance Monitor and im trying to find a script that can remotely check target urls and verify how many days are left until expiry.

I notice in the previous posts that there was talk of some work being done on something similar however the link to the possible script is unavailable.

Regards

Miron

Wednesday, August 26, 2009 5:21 AM by sukeshak

# re: How to Check certificate expiry for webserver (IIS) certificates using script

Miron,

Thanks for the interest in the feature. I'm in the process of writing simple console app in C# for this since I have recieved lots of request for this feature.

If I get to finish it soon I'll post it. Send me an email so that I can update you.

(sukesh at awesomeideas dot net)

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker