While using S/MIME certificates for mail encryption or any other type of certificates in the system environment it’s good practice to check from time to time whether some of them are not expiring and not being renewed for some reason. Sometimes user is just not connected due to holidays or some error occurs. Then, certificate expires and we end up with a user who is totally disappointed with the level of IT service etc. :) Well, some of them understand what happened, but usually it’s the other way around.

So in order to check when certificates expire for all users and list those that expire within next 30 days simply create new PowerShell script and run it:)

$days = 30

$users = Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(usercertificate=*))" -Property usercertificate 
foreach ($user in $users) {
    try {
        $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $user.usercertificate
        Write-Host "Certificate will expire for $($user.UserPrincipalName) on $($cert.notafter)"
        if ($cert.NotAfter -lt [datetime]::Today.AddDays($days)) {
            # add your action code here
            Write-Host "WARNING: Certificate will expire for $($user.UserPrincipalName) on $($cert.notafter)"
    catch {
        Write-Error "Something go wrong : $_."