I was working with a customer that had unintentionally let their Exchange certificates expire.

This resulted in a bit of a headache for the team as users were now getting certificate warnings and mobility services were down until the certificate was replaced.

I decided to put together a script that will check and warn about expired or soon to expire certificates.
The script gets the certificates which have services bound to them on all Exchange 2010 client access and hub transport servers.
It checks for certificates that have expired or that will expire within the next 60 days and optionally emails the report and creates a schedule task.
An email will only be generated if expired\expiring certificates have been detected

<# .SYNOPSIS Detects expired certificates on Exchange 2010 Client Access & Hub Transport servers   .Author Alan.McBurney   THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.   Version 1.0, August 27th, 2014   .DESCRIPTION This script will get the certificates which have services bound to them on all Exchange 2010 client access and hub transport servers. It checks the expiration for any certificates that are due to expire within 60 days and optionally emails the report and creates a schedule task An email will only be generated if expired\expiring certificates have been detected   .REFERENCES Parameters, checks and scheduled tasks stolen from Steve Goodman’s Exchange Environmental Reports script   http://gallery.technet.microsoft.com/exchange/Generate-Exchange-2388e7c9   .Notes To Do list: Enable Autnetication for SMTP Support for Exchange 2007 & 2013   .PARAMETER SendMail Send Mail after completion. Set to $True to enable. If enabled, -MailFrom, -MailTo, -MailServer are mandatory   .PARAMETER MailFrom Email address to send from. Passed directly to Send-MailMessage as -From   .PARAMETER MailTo Email address to send to. Passed directly to Send-MailMessage as -To   .PARAMETER MailServer SMTP Mail server to attempt to send through. Passed directly to Send-MailMessage as -SmtpServer   .PARAMETER ScheduleAs Attempt to schedule the command just executed weekly. Specify the username here, schtasks (under the hood) will ask for a password later.   .EXAMPLE Get-ExpiringEx2K10Certs #>   param( [parameter(Position=1,Mandatory=$false,ValueFromPipeline=$false,HelpMessage=‘Send Mail ($True/$False)’)][bool]$SendMail=$false, [parameter(Position=2,Mandatory=$false,ValueFromPipeline=$false,HelpMessage=‘Mail From’)][string]$MailFrom, [parameter(Position=3,Mandatory=$false,ValueFromPipeline=$false,HelpMessage=‘Mail To’)]$MailTo, [parameter(Position=4,Mandatory=$false,ValueFromPipeline=$false,HelpMessage=‘Mail Server’)][string]$MailServer, [parameter(Position=5,Mandatory=$false,ValueFromPipeline=$false,HelpMessage=‘Schedule as user’)][string]$ScheduleAs )   #Check Powershell Version if ((Get-Host).Version.Major -eq 1) { throw “Powershell Version 1 not supported”; }   #Check Exchange Management Shell, attempt to load if (!(Get-Command Get-ExchangeServer -ErrorAction SilentlyContinue)) { if (Test-Path “C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1”) { .‘C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1’ Connect-ExchangeServer -auto } elseif (Test-Path “C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1”) { Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.Admin .‘C:\Program Files\Microsoft\Exchange Server\bin\Exchange.ps1’ } else { throw “Exchange Management Shell cannot be loaded” } }   # Check if -SendMail parameter set and if so check -MailFrom, -MailTo and -MailServer are set if ($SendMail) { if (!$MailFrom -or !$MailTo -or !$MailServer) { throw “If -SendMail specified, you must also specify -MailFrom, -MailTo and -MailServer” } }   $Path=Get-Location $Dir=$Path.ToString() $HTMLReport = $Dir + “\ExpiredCerts.html” $CASServers = Get-ExchangeServer | Where-Object {$_.AdminDisplayVersion -match “Version 14” -and $_.ServerRole -match [regex] ‘Hub|Client’} $Certs = Foreach ($srv in $CASServers) {Get-ExchangeCertificate -Server $srv| Where-Object {$_.NotAfter -le (Get-Date).AddDays(60) -and $_.Services -ne “None”} | Select @{n=“Server”;e={$srv.name}}, @{n=“Expiry Date”;e={$_.NotAfter}}, Thumbprint, Services, Issuer, Subject} $Certs | ConvertTo-Html | Out-File $HTMLReport  

if ($SendMail) { if ($Certs.count -gt 0)   {   Send-MailMessage -Attachments $HTMLReport -To $MailTo -From $MailFrom -Subject “Warning - Expired Exchange Certificates Detected” -Body “Expired or soon to be expired certificates have been detected on Exchange Servers. Please see attached file for certificates affected” -SmtpServer $MailServer   } }   if ($ScheduleAs) { if ($SendMail) { $params+=‘ -SendMail:$true’ $params+=“ -MailFrom:$MailFrom -MailTo:$MailTo -MailServer:$MailServer” } $task = “powershell -c \”“pushd $dir; $($myinvocation.mycommand.definition) $params\”“” schtasks /Create /RU $ScheduleAs /RP /SC WEEKLY /ST 22:00 /TN ExpiredCerts /TR $task }

Alan McBurney

Solutions Architect @Novosco. Passionate about technology, delivering Microsoft centric solutions with emphasis on Lync, Exchange, PowerShell and Infrastructure. View Alan's other posts