Recently, I wanted to write a PowerShell script that would check expiration on the certificates assigned for SSL/TLS on Azure Application Gateway resources.

Obtaining the certificates is easy through the SslCertificates property of the Application Gateway instance. However, it took me a while to figure out how to actually extract the base64-encoded data into an X509Certificate2 instance.

Turns out that the certificate is returned in PKCS7 format (also known as P7B), so you need to use the SignedCms class to decode it.

Some sample code:

function Test-CertExpiresSoon($cert) {
    $span = [TimeSpan]::FromDays(30)
    $today = [DateTime]::Today
    return ($cert.NotAfter - $today) -lt $span

function Decode-Certificate($certBytes) {
    $p7b = New-Object System.Security.Cryptography.Pkcs.SignedCms
    return $p7b.Certificates[0]

$gateways = Get-AzureRmApplicationGateway

foreach ($gw in $gateways) {
    foreach ($cert in $gw.SslCertificates) {
        $certBytes = [Convert]::FromBase64String($cert.PublicCertData)
        $x509 = Decode-Certificate $certBytes

        if (Test-CertExpiresSoon $x509) {
            [PSCustomObject] @{
                ResourceGroup = $gw.ResourceGroupName;
                AppGateway = $gw.Name;
                CertSubject = $x509.Subject;
                CertThumbprint = $x509.Thumbprint;
                CertExpiration = $x509.NotAfter;

A PKCS7 envelope can contain multiple certificates, so I might have to revisit this later on in case that is relevant, but it was not an issue in the original scenario.

Tomas Restrepo

Software developer located in Colombia.