This is a simple PowerShell function that performs an http GET against a sepcified URL, validates a few things about the x509 certificate and returns an object indicating whether the cert is valid and will expires soon. Here's the code:
<#
.Synopsis
Tests that a certificate is valid and will fail when expiring soon.
.DESCRIPTION
Tests that a certificate is valid and will fail when expiring soon.
No URL validation or redirect handling is done, you're expected
to be an adult and handle the errors.
Returns an object with several properties: Valid, ExpireSoon, and
days valid. Valid is true if the certificate chain is verified and
it has not been revoked, ExpireSoon indicates whether or not the
certificate expires before the specified threshold period, DaysValid
is the number of days the certificate is still valid for (may be a
negative number if the cert has expired).
#>
function Check-SslCert {
Param(
[Parameter(Mandatory=$true,
ValueFromPipeline=$true,
Position=0)]
[string]$URL,
[Parameter(Position=1)]
[int]$ThresholdDays)
Process {
$_threshold = $ThresholdDays
if (-not $ThresholdDays) {
$_threshold = 15
}
$now = Get-Date
## Do webrequest to get info on secure site
$request = [System.Net.WebRequest]::Create($URL);
[System.Net.HttpWebResponse]$response = $request.GetResponse();
$response.Close();
## Retrieve the ssl cert and assign it to an X509Certificate object
[System.Security.Cryptography.X509Certificates.X509Certificate]$cert = $request.ServicePoint.Certificate;
##convert the X509Certificate to an X509Certificate2 object by passing it into the constructor
$cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $cert;
$daysValid = ($cert2.NotAfter - $now).TotalDays
return New-Object PSObject -Property @{
"ExpireSoon"=[bool]($daysValid -lt $_threshold);
"DaysValid"=[Math]::Floor($daysValid);
"Valid"=[bool]($cert2.Verify());
}
}
}
This function can be included in a PowerShell script that contains a list of https URL's that you want to validate on a schedule, I'm using Jenkins, and then notify when the endpoint is unavailable or the certificate has issues. Since it's expected to be used inside another script there is no explicit error handling, I leave that to you. Good luck.