Get-NetCertificateHealth.ps1

<#
.Synopsis
    Retrieve certificate from remote system and validates it against criteria
.DESCRIPTION
    Retrieve certificate from remote system and validates it against criteria for days until expiration, algorithm, and key size
.EXAMPLE
    Get-NetCertificateHealth -IP 8.8.8.8

    Queries 8.8.8.8 on the default port of 443 and verfies certificate doesn't expire with 60 days, uses at least SHA256RSA and has at least 2048 key size
    It will return warning or critical results for any failing validations
.NOTES
Adapted by: Jason Wasser
Original code by: Rob VandenBrink
Inspiration
https://isc.sans.edu/forums/diary/Assessing+Remote+Certificates+with+Powershell/20645/
Modified: 1/9/2020 02:16:05 PM
Modified: 11/10/2020
    Updated help from source function of Save-NetCertificate
    Updated Verbiage in verbose statements for expired certificates
    Added CmdletBinding So that the verbose statements are useful
#>
function Get-NetCertificateHealth {
    [CmdletBinding()]
    Param (
        [Alias('IP')]
        $ComputerName,
        [int]$Port = 443,
        [int]$WarningDays = 60,
        [int]$CriticalDays = 30,
        [string[]]$WarningAlgorithm = ('sha1RSA'),
        [string[]]$CriticalAlgorithm = ('md5RSA'),
        [int]$CriticalKeySize = 1024,
        [int]$WarningKeySize = 2048
    )

    $NetCertificate = Get-NetCertificate -ComputerName $ComputerName -Port $Port
    $CertificateProperties = @{
        ComputerName       = $ComputerName + ':' + $Port
        FileName           = 'N/A'
        Subject            = $NetCertificate.Subject
        SignatureAlgorithm = $NetCertificate.SignatureAlgorithm.FriendlyName
        NotBefore          = $NetCertificate.NotBefore
        NotAfter           = $NetCertificate.NotAfter
        Days               = ($NetCertificate.NotAfter - (Get-Date)).Days
        Thumbprint         = $NetCertificate.Thumbprint
        KeySize            = $NetCertificate.PublicKey.Key.KeySize
    }
    $Certificate = New-Object -TypeName PSObject -Property $CertificateProperties

    #region Check certificate expiration

    # Check certificate is within $WarningDays
    if ($Certificate.NotAfter -le (Get-Date).AddDays($WarningDays) -and $Certificate.NotAfter -gt (Get-Date).AddDays($CriticalDays)) {
        Write-Verbose "Certificate is expiring within $WarningDays days."
        $ValidityPeriodStatus = 'Warning'
        $ValidityPeriodStatusMessage = "Certificate expiring in $($Certificate.Days) days."
    }
    # Check certificate is within $CriticalDays
    elseif ($Certificate.NotAfter -le (Get-Date).AddDays($CriticalDays) -and $Certificate.NotAfter -gt (Get-Date)) {
        Write-Verbose "Certificate is expiring within $CriticalDays days."
        $ValidityPeriodStatus = 'Critical'
        $ValidityPeriodStatusMessage = "Certificate expiring in $($Certificate.Days) days."
    }
    # Check certificate is expired
    elseif ($Certificate.NotAfter -le (Get-Date)) {
        Write-Verbose "Certificate expired: $($Certificate.Days) days."
        $ValidityPeriodStatus = 'Critical'
        $ValidityPeriodStatusMessage = "Certificate expired: $($Certificate.Days) days."
    }
    # Certificate validity period is healthy.
    else {
        Write-Verbose "Certificate is within validity period."
        $ValidityPeriodStatus = 'OK'
        $ValidityPeriodStatusMessage = "Certificate expires in $($Certificate.Days) days."
    }
    #endregion

    #region Check certificate algorithm
    if ($CriticalAlgorithm -contains $Certificate.SignatureAlgorithm) {
        Write-Verbose "Certificate uses critical algorithm."
        $AlgorithmStatus = 'Critical'
        $AlgorithmStatusMessage = "Certificate uses a vulnerable algorithm $($Certificate.SignatureAlgorithm)."
    }
    elseif ($WarningAlgorithm -contains $Certificate.SignatureAlgorithm) {
        Write-Verbose "Certificate uses warning algorithm."
        $AlgorithmStatus = 'Warning'
        $AlgorithmStatusMessage = "Certificate uses the deprecated algorithm $($Certificate.SignatureAlgorithm)."
    }
    else {
        Write-Verbose "Certificate uses acceptable algorithm."
        $AlgorithmStatus = 'OK'
        $AlgorithmStatusMessage = "Certificate uses valid algorithm $($Certificate.SignatureAlgorithm)."
    }
    #endregion

    #region Check MinimumKeySize
    Write-Verbose 'Checking minimum key length.'
    if ($Certificate.KeySize -lt $CriticalKeySize) {
        # Key Size is critical
        Write-Verbose 'Certificate key length is critical.'
        $KeySizeStatus = 'Critical'
        $KeySizeStatusMessage = "Certificate key size $($Certificate.KeySize) is less than $CriticalKeySize."
    }
    elseif ($Certificate.KeySize -lt $WarningKeySize -and $Certificate.KeySize -ge $CriticalKeySize) {
        # Key Size is warning
        Write-Verbose 'Certificate key length is warning.'
        $KeySizeStatus = 'Warning'
        $KeySizeStatusMessage = "Certificate key size $($Certificate.KeySize) is less than $WarningKeySize."
    }
    elseif ($Certificate.KeySize -ge $WarningKeySize) {
        # Key Size is OK
        Write-Verbose 'Certificate key length is OK.'
        $KeySizeStatus = 'OK'
        $KeySizeStatusMessage = "Certificate key size $($Certificate.KeySize) is greater than or equal to $WarningKeySize."
    }
    else {
        # Key Size is OK
        Write-Verbose 'Certificate key length is Unknown.'
        $KeySizeStatus = 'Unknown'
        $KeySizeStatusMessage = "Certificate key size is unknown."
    }
    #endregion
    Write-Verbose 'Adding additional properties to the certificate object.'
    $CertificateProperties = [ordered]@{
        ComputerName                = $ComputerName + ':' + $Port
        FileName = $Certificate.FileName
        Subject                     = $Certificate.Subject
        SignatureAlgorithm          = $Certificate.SignatureAlgorithm
        NotBefore                   = $Certificate.NotBefore
        NotAfter                    = $Certificate.NotAfter
        Days                        = $Certificate.Days
        Thumbprint                  = $Certificate.Thumbprint
        ValidityPeriodStatus        = $ValidityPeriodStatus
        ValidityPeriodStatusMessage = $ValidityPeriodStatusMessage
        AlgorithmStatus             = $AlgorithmStatus
        AlgorithmStatusMessage      = $AlgorithmStatusMessage
        KeySize                     = $Certificate.KeySize
        KeySizeStatus               = $KeySizeStatus
        KeySizeStatusMessage        = $KeySizeStatusMessage
    }
    $Certificate = New-Object -TypeName PSObject -Property $CertificateProperties
    $Certificate
}