Using PowerShell to Find Expiring SSL Certificates & the Websites they’re Associated with

Have you recently received a notification about an expiring SSL certificate and don't remember where all it's used at? It's generally not an issue to figure this out with normal certificates which are issued for a single name, but if it's a wildcard certificate, it could be used on lots of different websites within your organization. The following PowerShell script retrieves all of the SSL certificate's thumbprints and their expiration dates on an individual server that has IIS installed (This has only been tested on Windows Server 2008 R2).

1Import-Module WebAdministration
2Get-ChildItem cert:\localmachine\my |
3Select-Object -Property Thumbprint, NotAfter |
4Sort-Object -Property NotAfter -Descending |
5Format-Table -AutoSize


Luckily with a wildcard certificate, the thumbprint will be the same for it across all servers. The code below can be wrapped inside of Invoke-Command to run it remotely against multiple servers to determine all the websites the certificate is used on.

1Get-ChildItem iis:\sslbindings |
2Where-Object {$_.thumbprint -eq 'DAC5BAFC7F31BE283D43496BEB3D2345097B236C'}