I am not familiar with the possibility of conducting this check with VBS and / or WMI, since this is possible whole security, since it can potentially open the private key. However, it is possible to use a regular HTTPS connection to access public certificate information. If you connect to any secure website using IE, you can go to the "File" menu and look at "Properties", and then click on the "Certificates" button. This displays a dialog box with information about public certificates for the site. You can get this information programmatically using C #.
Basically, you need to open a TCP connection with the server on port 443, and then get the SSL data. There is publicly available information about the certificate in this data stream, and you can check it and extract all the necessary information from it, including the expiration date. Here is a sample code:
static void Main(string[] args) { foreach (string servername in args) { Console.WriteLine("\n\nFetching SSL cert for {0}\n", servername); TcpClient client = new TcpClient(servername, 443); SslStream sslStream = new SslStream(client.GetStream(), false, callback, null); try { sslStream.AuthenticateAsClient(servername); } catch (AuthenticationException ex) { Console.WriteLine("Exception: {0}", ex.Message); if (ex.InnerException != null) { Console.WriteLine("Inner exception: {0}", ex.InnerException.Message); } Console.WriteLine("Authentication failed - closing the connection."); } client.Close(); } }
And the code for the callback that processes the certificate information:
static RemoteCertificateValidationCallback callback = delegate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslError) { X509Certificate2 x509 = new X509Certificate2(cert); // Print to console information contained in the certificate. Console.WriteLine("Subject: {0}", x509.Subject); Console.WriteLine("Issuer: {0}", x509.Issuer); Console.WriteLine("Version: {0}", x509.Version); Console.WriteLine("Valid Date: {0}", x509.NotBefore); Console.WriteLine("Expiry Date: {0}", x509.NotAfter); Console.WriteLine("Thumbprint: {0}", x509.Thumbprint); Console.WriteLine("Serial Number: {0}", x509.SerialNumber); Console.WriteLine("Friendly Name: {0}", x509.PublicKey.Oid.FriendlyName); Console.WriteLine("Public Key Format: {0}", x509.PublicKey.EncodedKeyValue.Format(true)); Console.WriteLine("Raw Data Length: {0}", x509.RawData.Length); if (sslError != SslPolicyErrors.None) { Console.WriteLine("Certificate error: " + sslError); } return false; };
And it's great that this approach should technically work with any web server ... I tested only on IIS 6 and 7.