Notify users of cert expiration…

A recent mail thread was asking about querying for cert about to expire and notifying the users of this.


You could do it a few ways.. Run some kind of svc\logon script etc..  on the clients - which tracked the stores and cert data. Query the CA DB directly for certs about to expire.


I thought it’d be easiest to get the information directly from the CA. You can use the  ICertView2 interface ---- specifically, EnumCertViewColumn.


You can obtain the DB  schema info via “certutil –view” then play with the GetColumnIndex call below…


I ended up with something like this - - its not quite finished as you can see, error checks and mail function - but thats easy enough. The less documented part is already done and you can build off of that.


have fun!





Const CV_OUT_BASE64 = &H1


'THIS IS THE <Machinename>\CAName
CAName = "MyMachine\SpatCA"     '=======>> CHANGE THIS TO THE CORRECT MACHINE\CA==


'create the CAView object
set oCAView = CreateObject("CertificateAuthority.View.1")


'open the connection to the Machine\CA
oCAView.OpenConnection (CAName)


'retrieve specific columns from DB
Index0 = oCAView.GetColumnIndex(False, "CommonName")
Index1 = oCAView.GetColumnIndex(False, "Email")

Index2 = oCAView.GetColumnIndex(False, "NotAfter")


oCAView.SetResultColumn (Index0)
oCAView.SetResultColumn (Index1)

oCAView.SetResultColumn (Index2)



'open the view

Set RowObj= oCAView.OpenView




Do Until RowObj.Next = -1


   Set ColObj = RowObj.EnumCertViewColumn()

         Do Until ColObj.Next = -1

                 wscript.echo  ColObj.GetValue(CV_OUT_BASE64) & vbcrlf
                'insert logic for checking date to

   'current and if near\past send mail.


   'for a number of examples of mail send info

   'Obviously you may want to use the cert email

   'attribute to send the mail


  Set ColObj = Nothing







Comments (4)
  1. Nick says:


    How would you connect to the MS 2003 Cert server in PowerShell?

  2. Spat-MSFT says:

    Not being a PS guy– I am not sure of that one.  Can you IcertView from C#? If so cant PS call it as well?

    This may be a start:

  3. Sam says:

    Thanks for this great script !

  4. PT says:

    Would you have something that runs client side, independent of any connection to a CA? Or can you point me? Thank you.

Comments are closed.

Skip to main content