Some certificate such as NDES server Intuned SSL and Server  certificate are manually requested, we need to monitor its validity period. We can use powershell and PRTG to do this.


In the PRTG folder C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXE


Create below powershell script, save it as Cert_less_than_30_days.ps1 in on PRTG host:

#we create a new object by using the x509Store .NET class to open the machine certificate store. We store this object in the $store variable

$store = New-Object System.Security.Cryptography.X509Certificates.x509Store(“\\\My”, “LocalMachine”)

#we open the store to access the certificates inside


#we initialize the $scanningCert variable to store the certificate which match the thumbprint in $certThumbprint

        $ExpiringCerts = $store.Certificates | Where-Object {($_.NotAfter -le (get-date).AddDays(30)) -and ($_.FriendlyName -match "NDES")}

        $ExpiredCerts = $store.Certificates | Where-Object {$_.NotAfter -le (get-date)}

echo $ExpiringCerts | fl

        if ($ExpiringCerts){

           write-host "2:Expiring"


           write-host "1:Expired"


           write-host "3:OK"




##To make sure this happen, give the monitored cert a friendly name.

##change "" into the server FQDN

##Change 30 into the date of the validity remain when you want the warning to be issued.

##Change NDES into the keyword included in the friendly name of the cert.

In PRTG, create a Custom Sensors > EXE/Script > click dropdown after EXE/Script, select Cert_less_than_30_days.ps1.

Value type: integer.

Security Context: Use Windows Credentials of parent device.


Click Create. Then after the first fresh, go to the sensor settings. Click Channel Settings next to Sensor settings.  Click Value (ID2), Tick Enable Alerting based on limits.

  • Lower Warning Limit: select 3
  • Lower Error Limit: select 2
  • Error Limit Message: Cert is expired
  • Warning Limit Message: Cert is expiring.