I have this section of code that if I can merely get the script to ONLY reply with Subject that exists (which indicates the IIS cert), then I can be done... (I have the OU enumeration, and the Invoke section down, and the email of the file for scheduling in a task): [NOTE: I have the expiration set to 500 days so I can then use the script later to merely find specific expiration times] [NOTE2: $day is set in my $profile to '$day = Get-Date -Format yyyyMMdd']

    $serverlist = $serverListpath.Name
    foreach($server in $serverlist){
        if($server -like '#*')
        {
            continue
        }
    
    $threshold = 500   #Number of days to look for expiring certificates
    $deadline = (Get-Date).AddDays($threshold)   #Set deadline date
    $p = ($c  /$server.count) * 100
     Write-Progress -Activity "Checking $._" -Status "$p % completed" -PercentComplete $p;
     if(Test-Connection -ComputerName $server -Count 2 -Quiet){
     #$server = "KnownIISServerHostname" #<-- to test with a hostname
    Invoke-Command -Verbose -ComputerName $server { Dir Cert:\LocalMachine\My } |`
foreach {
    If ($_.NotAfter -le $deadline) { 
$_ | Select *| select PSComputerName, Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} }
    }|`
select PSComputerName,Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} |`
    export-csv -Force -Append -Encoding ASCII -NoTypeInformation .\output\$day-ExpiringIISSSLCerts.csv
    }
    }

So where do I tweak this to get the reply to ONLY have existing "Subject" fields; Not to get the null subject filed replies (which are RDP certificates)

CodePudding user response：

Try to use this:

Import-Module WebAdministration
$CertAll=Get-ChildItem -Path Cert:\LocalMachine\My
$CertInUse=Get-Childitem -Path IIS:\SslBindings
$CertSame=Compare-Object -ReferenceObject $CertAll -DifferenceObject $CertInUse -Property ThumbPrint -IncludeEqual -ExcludeDifferent
$CertSame | foreach{Get-Childitem –path Cert:\LocalMachine\My\$($_.thumbprint)} | Select-Object -Property Subject, @{n=’ExpireInDays’;e={($_.notafter – (Get-Date)).Days}}

CodePudding user response：

Since IIS certificates are your scope of concern here, I would suggest using the IIS PowerShell module to make sure you're selecting only certificates that are actually in use by IIS.

The following should pull certificates attached to sites with HTTPS(SSL). I don't currently have multiple sites on a single IIS server for testing, but theoretically this should find all of them, not just the "Default Web Site."

$serverlist = $serverListpath.Name
foreach($server in $serverlist){
    if($server -like '#*')
    {
        continue
    }

$threshold = 500   #Number of days to look for expiring certificates
$deadline = (Get-Date).AddDays($threshold)   #Set deadline date
$p = ($c  /$server.count) * 100
 Write-Progress -Activity "Checking $._" -Status "$p % completed" -PercentComplete $p;
 if(Test-Connection -ComputerName $server -Count 2 -Quiet){
 #$server = "KnownIISServerHostname" #<-- to test with a hostname
 #Pull certificates from existing IIS bindings
 $certificates = Invoke-Command -Verbose -ComputerName $server { 
    Import-Module IISAdministration
    $sitebindings = Get-IISSite | foreach { Get-IISSiteBinding -Protocol HTTPS -Name $_ }
    $thumbprints = $sitebindings.Attributes | where {$_.Name -match "certificateHash"} | Select-Object -ExpandProperty Value
    $thumbprints | foreach {dir Cert:\LocalMachine\My\$_}
    }
$certificates |`
foreach {
    If ($_.NotAfter -le $deadline) { 
    $_ | Select *| select PSComputerName, Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} }
}|`
select PSComputerName,Subject, NotAfter, @{Label="Expires In (Days)";Expression={($_.NotAfter - (Get-Date)).Days}} |`
export-csv -Force -Append -Encoding ASCII -NoTypeInformation .\output\$day-ExpiringIISSSLCerts.csv
}
}