An expired SSL certificate takes your website or service offline instantly — and it almost always happens at the worst possible time. Checking certificate expiry dates in advance and setting reminders to renew is one of the most straightforward things you can do to prevent an avoidable outage. Here is how to check SSL certificate expiry on Windows Server.
Check a Certificate in IIS
For websites hosted on IIS (Internet Information Services):
- Open IIS Manager (search for it in Start or open via Server Manager → Tools)
- In the left panel, click the server name
- Double-click Server Certificates
- The list shows all certificates installed on the server, with their Expiration Date in the right column
Certificates close to expiry (within 30 days) should be renewed immediately.
Check Certificates via MMC
The Microsoft Management Console certificate snap-in shows all certificates in every store on the server:
- Press Win + R, type
mmc, and press Enter - Go to File → Add/Remove Snap-in
- Add Certificates → select Computer account → Local computer
- Expand Personal → Certificates
- The Expiration Date column shows when each certificate expires
Check All Certificates via PowerShell
PowerShell can scan the certificate store and highlight any that are near expiry — useful for automating checks across multiple servers:
# List all certificates in the Personal store expiring in the next 60 days
$threshold = (Get-Date).AddDays(60)
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.NotAfter -lt $threshold} | Select-Object Subject, NotAfter, Thumbprint | Sort-Object NotAfterChange 60 to your preferred warning window. Run this monthly as a health check.
Check All Certificate Stores
# Check all certificate stores on the local machine
Get-ChildItem -Path Cert:\LocalMachine -Recurse | Where-Object {$_.NotAfter -and $_.NotAfter -lt (Get-Date).AddDays(90)} | Select-Object PSParentPath, Subject, NotAfter | Sort-Object NotAfterCheck a Remote Certificate (From a Client)
To check what certificate a website or server is presenting without logging into it:
# Check certificate on a remote HTTPS site
$request = [Net.WebRequest]::Create("https://yoursite.com")
$request.GetResponse() | Out-Null
$cert = $request.ServicePoint.Certificate
[PSCustomObject]@{
Subject = $cert.Subject
Expiry = $cert.GetExpirationDateString()
Issuer = $cert.Issuer
}Or use PowerShell’s Test-NetConnection combined with certificate inspection:
$tcp = New-Object System.Net.Sockets.TcpClient("yoursite.com", 443)
$ssl = New-Object System.Net.Security.SslStream($tcp.GetStream())
$ssl.AuthenticateAsClient("yoursite.com")
$ssl.RemoteCertificate.GetExpirationDateString()Set Up Automated Expiry Monitoring
Manual checks are error-prone. Automate the alert with a scheduled PowerShell script that emails you when a certificate is within 30 days of expiry:
$threshold = (Get-Date).AddDays(30)
$expiring = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.NotAfter -lt $threshold}
if ($expiring) {
$body = $expiring | Select-Object Subject, NotAfter | Out-String
Send-MailMessage -To "[email protected]" -From "[email protected]" `
-Subject "SSL Certificate Expiry Warning on $env:COMPUTERNAME" `
-Body $body -SmtpServer "mail.example.com"
}Schedule this in Task Scheduler to run weekly. Free external monitoring services like UptimeRobot and StatusCake also offer SSL expiry monitoring with email alerts — worth using as a second layer of protection.
Renewing a Certificate
The renewal process depends on how the certificate was issued:
- Commercial certificate (DigiCert, Sectigo, etc.): generate a new CSR from IIS or MMC, submit it to your CA, install the returned certificate, and bind it in IIS
- Let’s Encrypt: if using Certbot or Win-ACME, certificates renew automatically every 90 days — ensure the renewal task is running and has not failed
- Internal CA (Active Directory Certificate Services): request renewal from the internal CA via the Certificates MMC snap-in or via web enrollment
