Thank you for reading this post, don't forget to subscribe!

The CAExpiryMonitor tool gives you the power to anticipate:
No more forgotten expired certificates,
No more unexpected TLS failures,
No more cold sweats before a critical meeting.

With an intuitive interface, automated service, and efficient alerting, it’s the certificate monitoring solution every Windows infrastructure deserves—and for free.

You can download it below, without registration.
Please share your feedback, suggestions, and successes with me—I can’t wait to hear how it saves your services!

Why monitor your certificates?

Internal Certificate Services (ADCS) play a critical role in the security of a Windows infrastructure.
TLS, authentication, RDS, VPN, and messaging all rely on valid certificates.
A simple expiration date can cripple an entire service.

Too often, administrators are notified too late .

With CAExpiryMonitor , you benefit from automated certificate management :
alerting, monitoring and comprehensive reporting — without cloud dependency, without cost, without third-party agents.

This tool allows any administrator, even without PKI expertise, to:

• detect certificates close to expiry,

• receive a clear email alert,

• trigger a renewal before incident.

Technical prerequisites

Before installing the application, make sure your environment meets these conditions:

• Windows 10/11/Server 2016/2019/2022

• .NET Desktop Runtime 8 (required)

• PowerShell 7 (provided or automatically installed)

• PSPKI module

• nssm.exe tool (included)

• Local administrator rights

• SMTP access for sending alert emails

Step-by-step installation

1. Run CAExpiryMonitor_Setup.exein administrator mode .

2. The program installs in:
   C:\ProgramData\CAExpiryMonitor

3. The following folders are created:
   PowerShell, tools, GUI, Logs, Reports, secrets, config

4. Two shortcuts are added: Desktop and Start Menu.

5. Open the app via these shortcuts.

Interface & configuration

Tab 1 — Prerequisites

• Click Check to verify the presence of PowerShell, PSPKI, and NSSM.

• If a component is missing, click Install Missing : installation is automatic.

Tab 2 — Service & Settings

Main buttons:

• Install / Restart Service : Installs or restarts the service.

• Stop / Uninstall Service : Stops or removes the service.

• Run Now (One-Shot) : Runs an immediate scan and generates a report.

Essential parameters:

• CAName: name of your certification authority (eg: CHADERFR-CA).

• ReportsDir / LogsDir: paths to reports and logs.

• Mail: SMTP configuration (server, sender, recipients, SSL).

• Days: alert threshold before expiration.

• PreferPSPKI: Enables the use of the PSPKI module for querying.

• IncludeRevoked: Includes or does not include revoked certificates.

• Scheduling: daily, weekly, monthly or by hourly interval.

JSON configuration file

CAExpiryMonitor stores all of its settings in a single file:

C:\ProgramData\CAExpiryMonitor\config\CAExpiryMonitor.json

This file controls scheduling, alert thresholds, log folders, and email sending.

Complete example:

Quick explanation of the settings

• CAName : name of your Certification Authority (CA).

• Days : Number of days before expiration to trigger an alert.

• Mode : planning type ( DailyTime, Weekly, Monthly, Interval).

• DailyTime / IntervalHours : execution time or interval.

• ReportsDir / LogsDir : folders where reports and logs are saved.

• KeepDays : length of time old files are kept.

• Mail : SMTP configuration (server, port, SSL, sender, recipients).

• CredentialFile : SMTP credentials file encrypted with DPAPI.

• Query : CA query preferences (PSPKI, revoked certificates, row limit).

Change configuration

You can modify the configuration from the interface ( Open Config button ) or directly in PowerShell.

Examples:

notepad “C:\ProgramData\CAExpiryMonitor\config\CAExpiryMonitor.json”

Modify a value in PowerShell:

Available planning modes

• DailyTime : run every day at a fixed time
  Example:"DailyTime": "07:00"

• Interval : run every X hours
  Example:"IntervalHours": 12

• Weekly : day and time defined
  Example:"Weekly": { "DayOfWeek": "Monday", "Time": "07:00" }

• Monthly : run once a month
  Example:"Monthly": { "Day": "1", "Time": "07:00" }

Tip: For most environments, a mode DailyTimeat 07:00 is sufficient.

Logs and reports

The Logs panel allows you to:

• Refresh the list of newspapers.

• Open recent reports.

• Directly access generated CSV, HTML and ZIP files.

When a certificate is nearing expiration, a report is created and then compressed; the email contains a clear summary:

Attachment :CA_Report_20251009.zip

Service mode — continuous monitoring

The Windows service is installed via NSSM directly from the interface.
Once launched, it runs automatically according to the defined schedule (daily, weekly, monthly, or interval).
No intervention is required: CAExpiryMonitor watches 24 hours a day.

Useful PowerShell Commands

Start or stop the service:

Update and uninstall

• To update: simply relaunch the new setup (reports and configurations are preserved).

• To uninstall: Go through the Control Panel or run Uninstall.exe.

• A link to www.chader.fr is displayed at the end of the uninstallation.

Best practices and security

• Keep the file smtp.credprotected (DPAPI encrypted).

• Check test logs and emails regularly.

• Adjust the threshold Daysaccording to the duration of your certificates.

• Send only the ZIP file to reduce email size.

Conclusion

CAExpiryMonitor was born from a simple need:
never again discover an expired certificate at the worst possible moment.

Easy to deploy, completely autonomous, and free, it provides complete visibility into your Active Directory certificates.
Test it, automate it, and let it work for you.