Integrations

InCommon Certificate Reporting

Preparing for Automated Certificate Renewals from InCommon/Sectigo

2025-10-20

It's time to start gearing up for the upcoming changes to SSL certificate lifespans. We're working through a lengthy and diverse list of services that we issue certificates for. To track progress, I wrote a script to identify certificates that were requested via ACME and those that aren't. This helps us track progress and identify services that still need to be moved to an automated renewal process.

Fetching certificates from the InCommon (Sectigo) Certificate Manager

$credential = Get-Credential

$headers = @{
    "Content-Type" = "application/json"
    "login" = "username"
    "password" = $Cred.GetNetworkCredential().Password
    "customerUri = "InCommon"
}

# ISSUED status = 2, Expiration Date Attribute = 3
$Argument = @{
    "certificateStatus" = "2"
    "certificateDateAttribute = "3"
} | ConvertTo-Json

try {
    $Response = Invoke-RestMethod -Uri 'https://cert-manager.com/api/report/v1/ssl-certificates' `
                                  -Method Post `
                                  -Headers $headers `
                                  -Body $Argument
}
catch {
    Write-Error -Message "Failed to retrieve certificates. Exception: $($_.exception.message)"
}

$non_acme_certs = @()
foreach($cert in $response.reports){
    if($certs = $response.reports | where-object {$cert.commonname -eq $_.commonname}){
        # If multiple certs exist with the same common name, retrieve only the latest
        if($certs.count -gt 1){
            $last = $certs | Sort-Object issued | Select-Object -Last 1
            if($last.requestedVia -eq "ACME"){
                Write-Output "Ignoring certs for $($cert.commonName), latest requested via ACME"
            }
            elseif($last.expires -gt $cert.expires){
                Write-Output "Ignoring. A more recent cert exists for $($cert.commonName)"
            }
            else{
                $non_acme_certs += $cert
            }
        }
        else{
            if($cert.requestedVia -eq "ACME"){
                Write-Output "Ignoring cert for $($cert.commonName). Issued via ACME"
            }
            else{
                $non_acme_certs += $cert
            }
        }
    }
}

$non_acme_certs | Export-Csv non_acme_certs.csv -noTypeInformation


$all_issued_certs = @()
foreach($cert in $response.reports){
    if($certs = $response.reports | where-object{$cert.commonname -eq $_.commonname}){
        if($certs.count -gt 1){
            $last = $certs | Sort-Object issued | Select-Object -Last 1
            if($last.expires -gt $cert.expires){
                Write-Output "Ignoring. A more recent cert exists for $($cert.commonName)"
            }
            else{
                $all_issued_certs += $cert
            }
        }
        else{
            $all_issued_certs += $cert
        }
    }
}

$all_issued_certs | Export-Csv all_issued_certs.csv -noTypeInformation