Monitor website SSL certificate expiration

Created by: Gunnar Steinn Magnússon

In this article, you will read about monitoring website SSL certification expiration with exMon. If you are responsible for a website you know how important it is to monitor that your SSL Certificates do not expire. With exMon, you are able to receive automatic notifications if your certifications need to be renewed or are approaching expiry.

Note: If you are not yet familiar with exMon Data Governance, click here to begin.

Worked example

  1. Create a new Query in exMon and select the PowerShell data provider
  2. Paste the following snippet into the query window
  3. $minCertAge = 30 # days
    $sites = @(
    $timeoutMs = 10000
    # Disable certificate validation
    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    # Create the result DataTable
    $exMonResult= New-Object system.Data.DataTable
    # Create column definition
    $hostname = New-Object system.Data.DataColumn hostname,([string])
    $expirationDate = New-Object system.Data.DataColumn expirationDate,([datetime])
    $expirationDays = New-Object system.Data.DataColumn expirationDays,([int])
    $certName = New-Object system.Data.DataColumn certName,([string])
    $certEffectiveDate = New-Object system.Data.DataColumn certEffectiveDate,([datetime])
    $certIssuer = New-Object system.Data.DataColumn certIssuer,([string])
    foreach ($site in $sites)
        Write-Host Check $site
        $req = [Net.HttpWebRequest]::Create($site)
        $req.Timeout = $timeoutMs
        try {
            $req.GetResponse() |Out-Null
        } catch {
            Write-Host URL check error $site`: $_ -f Red
        $expDate = $req.ServicePoint.Certificate.GetExpirationDateString()
        $certExpDate = Get-Date $expDate
        [int]$certExpiresIn = ($certExpDate - $(get-date)).Days
        $certName = $req.ServicePoint.Certificate.GetName()
        $certThumbprint = $req.ServicePoint.Certificate.GetCertHashString()
        $certEffectiveDate = $req.ServicePoint.Certificate.GetEffectiveDateString()
        $certIssuer = $req.ServicePoint.Certificate.GetIssuerName()
        if ($certExpiresIn -gt $minCertAge)
            Write-Host The $site certificate expires in $certExpiresIn days [$certExpDate] -f Green
            Write-Host The $site certificate expires in $certExpiresIn days [$certExpDate] -f Red
        # Add Row
        $row = $exMonResult.NewRow();
        $row.hostname = $site;
        $row.expirationDate = $expDate;
        $row.expirationDays = $certExpiresIn;
        $row.certName = $certName;
        $row.certEffectiveDate = $certEffectiveDate;
        $row.certIssuer = $certIssuer;


  4. Replace the $sites variable with your domains and $minCertAge with your desired threshold. 

  5. Configure exMon to notify you when the certificates are due by enabling Exception Manager and Emails.

Example output from the control:

Gunnar is the author of this solution article.