No Cert Left Behind

Image Credit: Peter Herrmann via Unsplash.

Generate a report of expiring certificates from your Active Directory Certificate Services Certificate Authority.

This script checks ADCS Certificate Authorities for issued certificate requests that are expiring in the next 30 days. Specify a list of the template identifiers that you want to check, and it will match them by template OID, Name, or DisplayName, find expiring certs using those templates, and then send a report as directed. It is recommended to ignore certain templates that are always automatically renewed by computer and users.

Depends on the PSPKI module and the AD Certificate Services RSAT feature.

To Do:

• Add checks for prerequisites
• Turn into function(s)
• Take parameters for recipients and report output type
• Get CAs in all domains in AD forest
• Add error handling
• Show all template names (and optionally use Out-GridView/Out-ConsoleGridView to select desired templates)
• Use OGV to generate a text file containing templates and then use that file as list of monitored certificate templates for expiring certificates report