Home > PowerShell > Script: New-ExpiringCertificatesReminder.ps1 – Receive a Reminder When Certificates Have Expired/Are Expiring

Script: New-ExpiringCertificatesReminder.ps1 – Receive a Reminder When Certificates Have Expired/Are Expiring

Detailed Description

Sometimes we’re so deep in projects or putting out fires that some things just get forgotten, or we don’t get that far down the “to-do” list. Some of those things aren’t that big of a deal and don’t impact users. Other tasks can have drastic impact. Such as forgetting to renew your server certificates. It’s true that some services like the phenomenal DigiCert will remind-you-to-death about certs that are expiring. But not all services do that, or they do it once and are forgotten. Other certs, like internal certs, don’t generate a reminder – and some environments don’t allow, or aren’t configured to automatically renew internal certificates. So this lazy, forgetful guy decided to do something about that. A script was born.

This script monitors certificates in the Local Machine store on the local server, and sends a reminder when a cert is expiring soon, or has already expired. An example is shown below.

Sample email about an expired certificate

Sample email about an expired certificate


Execution Policy: Third-party PowerShell scripts may require that the PowerShell Execution Policy be set to either AllSigned, RemoteSigned, or Unrestricted. The default is Restricted, which prevents scripts – even code signed scripts – from running. For more information about setting your Execution Policy, see Using the Set-ExecutionPolicy Cmdlet.

Download the script and ImageFiles.zip files from the DOWNLOAD section below. Copy the image files to a location available to all users who will receive the reminder email. I suggest a web server with public access. NOTE: These images are the SAME files and names as the ones for New-PasswordReminder.ps1, so you can use the same path if you use both scripts.

Open the script in a text editor and edit the variables in the param block to suit your needs. At a bare minimum, you need to adjust:

  • $Company – this should be your company name
  • $PSEmailServer – this is the email server the script will send the emails to
  • $EmailFrom – this is the SMTP address that the emails will come FROM
  • $EmailTo – set this to the SMTP address of the user/distribution group that should receive the reminder emails
  • $HelpDeskPhone – if not empty, this appears in the email message
  • $HelpDeskURL – if not empty, should be a URL to a web version of the email. If blank, the “If this email does not appear…” and “This email was sent by…” lines shown in the above example are not included.
  • $ImagePath – where the images are stored. This should be publicly reachable for users checking email from mobile devices and web clients

optionally, adjust $threshold from the default 15 to indicate how many days in advance the script should start reminding about an expiring certificate.

Save the script.

If you don’t already have a Receive Connector in Exchange to allow PowerShell scripts to send email, create one using the information at Creating A Receive Connector To Use For Sending Email From PowerShell.

If you have certs that are already expired, or are expiring soon, you can manually run the script to test. To do that, open PowerShell and type


Once everything is done, you can run the script in Install mode:

New-ExpiringCertificatesReminder.ps1 -Install

and the script will prompt for the user password, then automatically create a scheduled task on the local server to run every day at 7:30am. You can open the Scheduled Tasks GUI and adjust parameters as needed, but I’ve found the defaults to be fine.

Repeat on any other servers you’d like to monitor.


I’ve never been one to really solicit donations for my work. My offerings are created because *I* need to solve a problem, and once I do, it makes sense to offer the results of my work to the public. I mean, let’s face it: I can’t be the only one with that particular issue, right? Quite often, to my surprise, I’m asked why I don’t have a “donate” button so people can donate a few bucks. I’ve never really put much thought into it. But those inquiries are coming more often now, so I’m yielding to them. If you’d like to donate, you can send a few bucks via PayPal at https://www.paypal.me/PatRichard. Money collected from that will go to the costs of my website (hosting and domain names), as well as to my home lab.


v1.3 – 02-13-2017 – New-ExpiringCertificatesReminder.v1.3.zip

v1.2 – 01-27-2014 – New-ExpiringCertificatesReminder.v1.2.zip

v1.0 – 09-14-2012 - New-ExpiringCertificatesReminder.v1.0.zip

ScriptImages.zip – these are the images specified in the emails


See the changelog for information on what’s changed/included in each version.

Categories: PowerShell Tags: ,
  1. Andres
    October 9th, 2017 at 14:11 | #1

    Hi Pat I am getting this error trying to run your script, it has something to do with powershell version maybe?
    The “=” operator is missing after a named argument.
    At New-ExpiringCertificatesReminder.ps1:56 char:38
    + [CmdletBinding(SupportsShouldProcess, <<<< DefaultParameterSetName = "Default")]
    + CategoryInfo : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : MissingEqualsInNamedArgument

    Thank you

  2. Andres
    October 9th, 2017 at 14:20 | #2

    I just saw the comment about requirement of 3.0 version


  1. September 2nd, 2016 at 09:21 | #1