How to Check Remote Website SSL Certificate Expiry in Batch Script

The certificates stored on your computer (for your own server or VPN) are easy to audit with standard tools. However, monitoring the life-span of an external website's SSL certificate, like your company's portal or a public API, requires a different approach. You don't have the file locally, so you must query the website's port 443 over the internet. A Batch script can use a PowerShell bridge or a tool like curl to fetch the remote certificate's metadata, allowing you to track expiration dates without ever having to visit the site in a browser.

This guide will explain how to audit remote SSL certificates.

Method 1: The PowerShell "WebQuery" (Most Reliable)

PowerShell can establish a secure connection to a URL and inspect the certificate object in memory.

@echo off
set "URL=https://www.google.com"

echo [SCAN] Querying SSL expiration for %URL%...
echo.

:: Use PowerShell to establish an HTTPS connection and read the certificate
powershell -NoProfile -Command ^
    "try {" ^
    "  $req = [Net.HttpWebRequest]::Create('%URL%');" ^
    "  $req.Timeout = 10000;" ^
    "  $resp = $req.GetResponse(); $resp.Close();" ^
    "  $cert = $req.ServicePoint.Certificate;" ^
    "  Write-Host 'Subject:' $cert.Subject;" ^
    "  Write-Host 'Expires:' $cert.GetExpirationDateString()" ^
    "} catch { Write-Host 'ERROR:' $_.Exception.Message }"

echo.
pause

Method 2: Detailed Health Audit (OpenSSL Bridge)

If you have OpenSSL installed (standard with many developer tools or Git for Windows), it provides the most forensic detail.

@echo off
set "Site=google.com"

echo [AUDIT] Fetching remote certificate details for %Site%...
echo.

:: Verify that OpenSSL is available
where openssl >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] OpenSSL is not installed or not in PATH.
    echo         Install it via Git for Windows or a standalone package.
    pause
    exit /b 1
)

:: Connect to the server and extract the certificate dates
:: -servername = Required for SNI (shared hosting / CDN environments)
echo Q | openssl s_client -servername %Site% -connect %Site%:443 2>nul | openssl x509 -noout -dates

echo.
pause

Method 3: The "Wait for Renewal" Loop

This is useful for devops scripts that need to wait until a new certificate has officially "Propagated" to a load balancer before continuing a deployment.

@echo off
set "Domain=api.myapp.com"

:Check
echo [%time%] Checking remote certificate...

powershell -NoProfile -Command ^
    "try {" ^
    "  $req = [Net.HttpWebRequest]::Create('https://%Domain%');" ^
    "  $req.Timeout = 10000;" ^
    "  $resp = $req.GetResponse(); $resp.Close();" ^
    "  Write-Host 'Expiry:' $req.ServicePoint.Certificate.GetExpirationDateString()" ^
    "} catch { Write-Host 'ERROR:' $_.Exception.Message }"

echo.
set /p "manual=Is this the new date? (Y/N): "
if /i "%manual%" neq "Y" (
    timeout /t 60 >nul
    goto :Check
)

echo [SUCCESS] New certificate detected. Continuing deployment...

How to Avoid Common Errors

Wrong Way: Using a Ping test

Pinging a website only tells you the server is on. It tells you nothing about the SSL certificate status. A server can be "On" but returning a "Certificate Expired" error to every user.

Correct Way: Use Method 1 or Method 2. These actually perform the SSL/TLS handshake and read the certificate's unique NotAfter timestamp.

Problem: Self-Signed Certificates

If the remote website uses a "Self-Signed" certificate (common in internal development), Method 1 might fail because Windows doesn't "Trust" the connection by default.

Solution: Tell the script to ignore certificate errors during the check (for auditing purposes only): [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

Best Practices and Rules

1. Identify "SNI" (Server Name Indication)

On modern servers that host multiple websites on one IP (like Cloudflare or shared hosting), you must provide the hostname in your request, or the server will return the "Default" certificate rather than the one for your specific site. Method 2 uses the -servername flag for this purpose.

2. Timezone Offsets

Remote certificates often use UTC time. When interpreting the date string, be aware that the expiration might occur a few hours earlier or later than your local time would suggest.

3. Log the "Subject Alternate Names" (SAN)

A certificate might be valid for example.com but not for www.example.com. Use Method 2 (OpenSSL) to audit the SAN field if you are seeing "Invalid Name" errors.

Conclusions

Checking remote website SSL expiry via Batch script provides a powerful tool for proactively managing external dependencies. By moving beyond manual browser checks and utilizing automated queries, you ensure that your connections to critical web services never fail due to a forgotten renewal. This automated precision is essential for site reliability engineers and developers who need to maintain a 100% uptime record for their networked applications.

Method 1: The PowerShell "WebQuery" (Most Reliable)​

Method 2: Detailed Health Audit (OpenSSL Bridge)​

Method 3: The "Wait for Renewal" Loop​

How to Avoid Common Errors​

Wrong Way: Using a Ping test​

Problem: Self-Signed Certificates​

Best Practices and Rules​

1. Identify "SNI" (Server Name Indication)​

2. Timezone Offsets​

3. Log the "Subject Alternate Names" (SAN)​

Conclusions​

Table of Contents