How to check SSL certificate expiry on Windows IIS

On Windows IIS, certificates live in the Windows certificate store and are bound to sites. PowerShell is the quickest way to list expiry dates.

List certificate expiry with PowerShell

Enumerate the local machine certificate store and show the soonest-to-expire certificates.

Get-ChildItem Cert:\LocalMachine\My |
  Select-Object Subject, NotAfter, Thumbprint |
  Sort-Object NotAfter

From any machine with OpenSSL (including WSL), read the served certificate’s dates:

echo | openssl s_client -servername example.com -connect example.com:443 2>$null |
  openssl x509 -noout -dates

Don’t want to run this by hand every month?

SSLNudge checks Windows IIS endpoints daily and alerts you before expiry.

Tip: paste a hostname into the free SSL checker to see its expiry right now.