Certificate Monitor

Certificate Monitor

Monitors all certificates in Root, AuthRoot, CA, and Personal("My") certificate stores. Provides status the 10 soonest to expire certificates per store that expire within next 60 days. If none expire within that window then it presents the earliest to expire certificate for that store and presents how many days to expire. Monitor status is critical when a certificate is found to expire within next 60 days.  Monitoring for the "My" certificate store is included but disabled as this store may contain a ridiculous amount of certificates and most likely none that matter. The "My" certificate store is also the local computer store's "Personal" store. "My" is the technical name the computer uses to reference the "Personal" store.

If you want to monitor the Personal ("My") store, use the following steps

  1. Edit the "Certificate Monitor"
    1. 2016-03-28_11-21-17.png
  2. Select the "Personal ("My") Monitor", then select Enable
    1. 2016-03-28_11-21-41.png

If you need help making changes to the template to alter the expiration window, use the following steps

  1. Edit the "Certificate Monitor"
    1. 2016-03-28_11-21-17.png.
  2. Select the Component and Select "Edit Script" for that component
    1. 2016-03-28_11-29-09.png
  3. Update the value for "$intThreshold", default is 60 which is 60 days. If you want to be notified sooner then update it to 90 or greater. If you want to be notified later or closer to date of expiration use 30 or 15.
    1. 2016-03-28_11-29-42.png

This monitor is only good for Windows Servers but you can monitor some Linux certificates using the SSL Expiration monitor.

UPDATE (2018-12-19) - Revision 9

     Wow, that took a long time to correct...The Personal ("My") Store was incorrectly using the CA store in the code, which would have required a change on your part to correct. I feel bad about that. I updated the monitor to      correctly use the My store for that monitor. Thank you tangles​ for letting me know!

UPDATE (2016-03-28) - Revision 6

     Now you can monitor the Personal ("My") Store! Included detailed instructions on how to enable a component or update the threshold for when you are warned of an expiring certificate.

UPDATE (2016-02-01) - Revision 5

     Bug fix. Comparison logic was inverse. I fixed the issue.

UPDATE (2016-02-01) - Revision 3

     You need to be able to edit the script to change the following values. Its rather straight forward but if anyone has any questions. Please let me know!

  • Update the threshold!
    • Current value is 60 days but you can make it whatever you want and it updates comparison values and verbiage in alerts
  • Exclude certificates using certificate subject names
    • You can exclude as many as you want but try to be specific to reduce chance of a false positive
    • Uses "Contains" comparison model so you don't have to supply the entire subject name
    • Current value is excluding "Verisign" so certificates that contain the name "Verisign" in the subject name are not monitored in this release.
      • If you need to monitor "Verisign" certificates, then comment out this line or delete the name within the quotes.
  • All, This is the author but I no longer have access to the serco.paul account.  reached out asking about window thresholds and warning versus critical. I will share some ideas on how to modify the code for each component so you can utilize threshold windows like 30-60 days and how to modify so alerts are warnings versus critical.

    Window A = less than 30 days alert critical

    Window B = 30-60 days alert warning

    Because of the way SAM monitoring works, you can only roll up to a single alert. This means you cannot mix alert levels within a single assigned script.

    If you want to have a monitor that alerts critical during window A and warning during window B, then you need to have two scripts assigned. 

    !!!!! TIP !!!!!

    Changing the thresholds in the management plane of the SAM monitor HAS NO AFFECT on this script. ONLY changes within the PowerShell script will provide you with the affect you want. 

    Threshold Alerting

    The current script defaults to an exit code of 3 which means any certificates that exceed the default threshold of 60 trigger a critical alert.

    Make a new copy of the SAM script and call it something unique. Then for each component you need to modify the following lines in the script.

    This change provides the values necessary for a window in time.

    Added new line for $dateExpireDays

    Update $intThreshold

    Update $dateDeadline

    This change provides the logic to evaluate the certificates days to expire within the window in time.

    Here is all of the code for the "My" Personal store, update line #14 based on the store you are using. 

    NOTE - I update Message to also provide the Expiration date of the certificate.

    # Exclude certificates
      # Add new subject in the format "subject here" with a comma between each subject, so one subject looks like this
      # $exludeCerts = "Part of the subject of certificate" and two or more certs looks like this
      # $exludeCerts = "Part of the subject of certificate", "Part of the subject of another certificate"
      # Try to be specific to reduce false positives
        $exludeCerts = "Verisign"
        $dateExpireDays = 730
    # Number of days to look for expiring certificates, update this value to change the threshold
        [int]$intStartThreshold = 30     # 730 days = 2 years
    	[int]$intStopThreshold = 60     # 730 days = 2 years
    #Set deadline date
        $dateDeadline = (Get-Date).AddDays($intStopThreshold)
    # Grabs the Certificate Store command and stores it in an object
        $objStore = new-object System.Security.Cryptography.X509Certificates.X509Store("\\${IP}\My","LocalMachine")
    # Opens the Cerificate store and places contents into the object as ReadOnly
    # Scans through each certificate in the store and logs each one that meets the criteria
        $count = 0
        try {
          $objStore.certificates | % {
            # boolean value, used if any of the exclude cert values are found to be appicable
              $excludeBool = $false
            # Compares each exluded cert subhect against the current certificate's subject
              foreach($name in $exludeCerts){
                If ($_.Subject.ToLower().contains($name.ToLower())){
                  $excludeBool = $true
            # If an exluded certificate is found then it's valuation is skipped
              If (!$excludeBool) {
                # If the certificate expires within the number of days described in variable $intThreshold and that value is not negative then log the certificate
                    If (($_.NotAfter -lt $dateDeadline) -and (($_.NotAfter - (Get-Date)).Days -gt 0)) { 
                            [int]$dateExpireDays = ($_.NotAfter - (Get-Date)).Days
                            If ($dateExpireDays -lt $intStopThreshold){
                                Write-Host "$dateExpireDays is less than $intStopThreshold, ($dateExpireDays -lt $intStopThreshold)"
                                If ($dateExpireDays -gt $intStartThreshold){
                                    Write-Host "$dateExpireDays is greater than $intStartThreshold, ($dateExpireDays -lt $intStartThreshold)"
                                    [string]$expireDate = $_.NotAfter
                                    [string]$strSubject = $_.Subject
                                    Write-Host "Message.$count : Certificate $strSubject Will Expire within next $intStartThreshold to $intStopThreshold days on $expireDate."
                                    Write-Host "Statistic.$count : $dateExpireDays"
                    } else {
                      If (!$dateExpireDays){
                        [int]$dateExpireDays = ($_.NotAfter - (Get-Date)).Days
                        [int]$dateExpireDaysNew = ($_.NotAfter - (Get-Date)).Days
                        If ($dateExpireDaysNew -lt $dateExpireDays){
                          If ($dateExpireDaysNew -gt 0){
                            $dateExpireDays = $dateExpireDaysNew
        catch {
          Exit 2
        if ($count -gt 0){
          Exit 2
        } else {
          If (!$dateExpireDays){
            $dateExpireDays = 730
          Write-Host "Message.$count : No Certificate Will Expire within next $intStartThreshold to $intStopThreshold days."
          Write-Host "Statistic.$count : $dateExpireDays"
          Exit 0
        Exit 0

    Alert Level

    If you want to change the alert level, then you need to modify the exit code. Here you can find SolarWinds documentation on exit codes Report status through exit codes in SAM script monitors (solarwinds.com). The default script uses an exit code of 3 if any certificates are found within our window in time.

    This change updates the exit code from 3 to 2, which updates the alert from critical to warning for any certificates found.

  • You could collect the expiration date and add it to the message. Use the following as a guide to do that

    If ($dateExpireDays -lt $intThreshold){
      [string]$expireDate = $_.NotAfter #added this line
      [string]$strSubject = $_.Subject
      Write-Host "Message.$count : Certificate $strSubject Will Expire within next $intThreshold days on $expireDate." #modified this line
      Write-Host "Statistic.$count : $dateExpireDays"

  • You cannot do it for each certificate in there because the way SAM monitors work, they roll up everything when its green/up. When a store is analyzed SAM monitoring allows storing of up to 10 messages/statistic pairs, so we can show up to 10 certificates that match the threshold and are causing an alert.

  • You have certificates in that store that are expired and no certificates that are not expired.

  • I have mine set to 60 days but when I set the thresholds to 60 warning and 30 critical it doesn't work. It only shows critical for certs over 30.