Monitoring Root CA Certificate Expiry with PRTG

PRTG Network Monitor ships with a certificate sensor which, among other things, can monitor the expiry of a certificate used on a web server. That’s great, but if you are running your own certificate authority (e.g. Active Directory Certificate Services), you might need a way to monitor the expiry of the root certificate itself. Unfortunately, PRTG doesn’t come with a sensor for this. It does, however, come with an EXE/script sensor which can run a PowerShell script to determine the expiry of the root CA certificate.


First, create the following PowerShell script in your PRTG Custom Sensors directory: C:\Program Files (x86)\PRTG Network Monitor\Custom Sensors\EXE\Get-RootCaCertExpiryDays.ps1. The contents of the script are listed below:


$ExpirationDate = $(Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like $Subject}).NotAfter
$DaysRemaining = $($ExpirationDate - $(Get-Date)).Days

if (! $Subject) {
    Write-Host -NoNewline "A subject must be supplied as a parameter:Error"
} elseif (! $ExpirationDate) {
    Write-Host -NoNewline "Failed to retrieve certificate expiration date:Error"
} else {
    Write-Host -NoNewline "$DaysRemaining`:OK"

Once the PowerShell script is in place, create a new EXE/Script sensor in PRTG. Choose Get-RootCaCertExpiryDays.ps1 from the EXE/Script list. In the Parameters field, specify the subject name (e.g. -Subject "CN=Some Secure Internal Root CA, DC=domain, DC=tld").

The sensor will report the days until the root CA certificate expires.


Theoretically, in an Active Directory Certificate Services environment, you could run this script on any computer in the domain, as the root CA certificate is automatically distributed to all Windows computers by default. Not too bad!