How do I check for valid certificates/renewals on my servers?

One of the great features of the Windows Enterprise issuing CAs, is the auto-renew option that you can set for your certificates.

BUT, when renewal time rolls around, how do you know if it’s worked? Or more specifically, are you just sitting around hoping that the auto-renewal worked and nothing breaks?


In my scenario, all servers are set to receive certificates (auto-enroll), and also to have those certificates auto-re-enrolled to reduce administrative overhead. And I needed an automated/scripted way to confirm that the auto-renewal had happened on every server (logging into every server and opening the Certificates MMC snap-in seemed like a lot of work for 500+ servers ).

The script below queries Active Directory for a list of servers (enabled and seen within the last 90 days), and then remotely checks its certificates in the Computer\Personal store.

My criteria for “the server certificate been correctly re-enrolled” was:

  • Has a certificate with the same DNS name attached, that exactly matches the servers own FQDN, and;
  • The certificate was valid for at least 90 days into the future (this is easily changed in the script if you need something different)

You might want to add a check for the issuing CA server name or something else to really make sure – but this was enough proof for my scenario – adjust to suit your needs.

The script below assumes you have the AD PowerShell module installed, and your internal firewall/Windows Firewall rules allows remote access to each server.


Apart from the CSV that gets created, I added some basic status messages on the screen (more of a sanity check for myself than anything else), which looks like this:

Leave a Reply

Your email address will not be published. Required fields are marked *