Monitor the validity period of A Certificate with PRTG

Some certificate such as NDES server Intuned SSL and Server certificate are manually requested, we need to monitor its validity period. We can use powershell and PRTG to do this.

Some facts about the PRTG:

In the PRTG folder C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXE
It only returns integer value, not string. so we calculate the days until it expire and store it in variable $daysToExpire

Create below powershell script, save it as Cert_less_than_30_days.ps1 in on PRTG host:

The hashed echo lines are used for debugging.

#we create a new object by using the x509Store .NET class to open the machine certificate store. We store this object in the $store variable

$store = New-Object System.Security.Cryptography.X509Certificates.x509Store("\\NPS01.your.domain\My", "LocalMachine")

#we open the store to access the certificates inside

$store.Open(0)


$dateOfToday = Get-Date
foreach ($Cert in $store.Certificates){

    # echo $cert.NotAfter.ToShortDateString()
    $daysToExpire = NEW-TIMESPAN –Start $dateOfToday –End $cert.NotAfter
    # echo $daysToExpire.Days


    if (($cert.NotAfter -le (get-date).AddDays(30)) -and ($cert.NotAfter -ge (get-date)) -and ($cert.Subject -match "NPS01")){


        write-host $daysToExpire.Days,":Cert is Expiring!"


    }elseif($cert.NotAfter -le (get-date)){

        write-host $daysToExpire.Days,":Cert is Expired!!!"

    }else{
        write-host $daysToExpire.Days,":OK"

    }

}

$store.Close()

##Note:

##change "NPS01.curric.com" into the server FQDN

##Change 30 into the date of the validity remain when you want the warning to be issued.

##Change NPS01 into the keyword included in the friendly name of the cert.

In PRTG, create a Custom Sensors > EXE/Script > click dropdown after EXE/Script, select Cert_less_than_30_days.ps1.

Security Context

Choose Use Windows credentials of parent device

And setup windows local admin account under the device setting.

Value type: integer.

Security Context: Use Windows Credentials of parent device.

Click Create. Then after the first fresh, go to the sensor settings. Click Channel Settings next to Sensor settings. Click Value (ID2), Tick Enable Alerting based on limits.

Lower Warning Limit: select 3
Lower Error Limit: select 2
Error Limit Message: Cert is expired
Warning Limit Message: Cert is expiring.