Return days until cert expiration

check-windows-cert-expiry.ps1

# exit codes reflect this script's use as a Sensu check
# replace "YOUR ISSUER HERE" with the CA of your choice

param (
    [Parameter(Mandatory=$True)][int]$critical = $(throw "-critical - is required."),
    [Parameter(Mandatory=$True)][int]$Warning = $(throw "-warning - is required."),
    [Parameter(Mandatory=$False)][string]$computer = $env:COMPUTERNAME.Tolower()
)

$cert=$(get-childitem cert:LocalMachine\My -recurse | where-object { $_.Issuer -match "YOUR ISSUER HERE" } | select Subject,@{Name="DaysRemaining";Expression={($_.NotAfter).subtract([DateTime]::Now).days}})
$ExpiryDays=$cert.DaysRemaining

if ($ExpiryDays -gt $warning) {
  Write-Host "'$computer' Cert is expiring in $ExpiryDays Days."
  exit(0)
} elseif (($ExpiryDays -lt $warning) -and ($ExpiryDays -gt $critical)) {
  Write-Host "'$computer' Cert is expiring in $ExpiryDays Days."
  exit(1)
} elseif ($ExpiryDays -lt $critical) {
  Write-Host "'$computer' Cert is expiring in $ExpiryDays Days."
  exit(2)
} else {
  Write-Host "Not able to get Cert Expiry status for 'CN=$computer'."
  exit(3)
}

Mandatory Parameters shouldn't get default values. Will those actually throw, or does it just stop and ask for the value?
[dateTime]::now is functionally equivalent to Get-Date
I'm not a fan of Write-Host, but I'm guessing the caller only really cares about the exit codes.

Why not have the "Your issuer here" as a parameter, even if it's not mandatory and has a default value.

I like the use of exit!

In the original case, I've got a known issuer that's consistent across all use-cases, so it was hard-coded.

The use of exit reflects that this is a sensu check; 0=green, 1=yellow, 2=red, 3=unknown.

Write-host sets the body of the check-result message as displayed in Uchiwa. There may be other output options that'll work.

I'll have to look further into the throw on mandatory params.

Thanks!

I had not heard of either sensu or uchiwa before today.

…

On Wed, Aug 7, 2019, 14:54 Ryan Punt ***@***.***> wrote: In the original case, I've got a known issuer that's consistent across all use-cases, so it was hard-coded. The use of exit reflects that this is a sensu check; 0=green, 1=yellow, 2=red, 3=unknown. Write-host sets the body of the check-result message as displayed in Uchiwa. There may be other output options that'll work. I'll have to look further into the throw on mandatory params. Thanks! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/e303c5d9ab25e28f7eaddaf7f4a6e248?email_source=notifications&email_token=ABZ5YXAXVGNLCD2SDTUVKJLQDMR7JA5CNFSM4IKCAT32YY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAFWVFA#gistcomment-2992720>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABZ5YXGWP6VYSBBX2URIA53QDMR7JANCNFSM4IKCAT3Q> .