Created
January 9, 2026 17:02
-
-
Save michaelsanford/1996cc4a1fe2910bfe4fff1092e2b3fa to your computer and use it in GitHub Desktop.
For a list of DNS entries, is the certificate issued by DigiCert?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param( | |
| [string]$DomainsFile = "dns.txt", | |
| [int]$TimeoutMs = 10000, | |
| [switch]$SkipDomainKeyRecords | |
| ) | |
| # Configure SSL/TLS settings | |
| [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
| [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls13 | |
| $domains = Get-Content $DomainsFile | |
| # Filter out DKIM and other DNS-only records if requested | |
| if ($SkipDomainKeyRecords) { | |
| $domains = $domains | Where-Object { | |
| $_ -notmatch "_domainkey" -and | |
| $_ -notmatch "^[a-f0-9]{32}\." -and | |
| $_ -notmatch "^[a-z0-9]{40,}\." | |
| } | |
| } | |
| Write-Host "Checking SSL certificates for $($domains.Count) domains..." -ForegroundColor Green | |
| Write-Host "Timeout: $TimeoutMs ms" -ForegroundColor Yellow | |
| Write-Host "" | |
| foreach ($domain in $domains) { | |
| try { | |
| # Skip obviously non-web domains | |
| if ($domain -match "_domainkey|^[a-f0-9]{32}\.|^[a-z0-9]{40,}\.") { | |
| Write-Host "$domain : Skipped (DNS record, not web service)" -ForegroundColor Gray | |
| continue | |
| } | |
| # Create TCP client to get certificate without full HTTP request | |
| $tcpClient = New-Object System.Net.Sockets.TcpClient | |
| $tcpClient.Connect($domain, 443) | |
| $sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream()) | |
| $sslStream.AuthenticateAsClient($domain) | |
| $cert = $sslStream.RemoteCertificate | |
| if ($cert) { | |
| $cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($cert) | |
| $issuer = $cert2.Issuer | |
| $subject = $cert2.Subject | |
| $expiry = $cert2.NotAfter | |
| $daysUntilExpiry = ($expiry - (Get-Date)).Days | |
| $isDigiCert = $issuer -match "DigiCert" | |
| $certAuthority = if ($isDigiCert) { "DigiCert" } else { "Other" } | |
| $expiryStatus = if ($daysUntilExpiry -lt 30) { " (EXPIRES SOON: $daysUntilExpiry days)" } else { "" } | |
| Write-Host "$domain : $certAuthority - $issuer$expiryStatus" -ForegroundColor $(if($isDigiCert){'Green'}else{'Yellow'}) | |
| } else { | |
| Write-Host "$domain : No certificate found" -ForegroundColor Red | |
| } | |
| $sslStream.Close() | |
| $tcpClient.Close() | |
| } | |
| catch [System.Net.WebException] { | |
| $errorMsg = $_.Exception.Message | |
| if ($errorMsg -match "SSL connection could not be established") { | |
| Write-Host "$domain : SSL Error - Certificate/TLS issue" -ForegroundColor Red | |
| } elseif ($errorMsg -match "timeout|timed out") { | |
| Write-Host "$domain : Timeout - No response" -ForegroundColor Magenta | |
| } elseif ($errorMsg -match "Name or service not known|could not be resolved") { | |
| Write-Host "$domain : DNS Error - Domain not found" -ForegroundColor Red | |
| } else { | |
| Write-Host "$domain : Web Error - $errorMsg" -ForegroundColor Red | |
| } | |
| } | |
| catch { | |
| Write-Host "$domain : Error - $($_.Exception.Message)" -ForegroundColor Red | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment