For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

2 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 05, 2009
    Hi,

     

     

    A search on AskF5 for certificate expiration leads to:

     

     

    SOL7574: Monitoring SSL certificate expiration on the BIG-IP system

     

    https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7574.html

     

     

     

    checkcert -h

     

     

    Usage: checkcert

     

     

    In its main form (no arguments), checkcert examines all certificates

     

    /config/ssl/ssl.crt and will log any expired ones to local0.warning

     

     

    Usage: checkcert [-v]|[-[s|o|e]] [-k num] [-d directory] [-f file]

     

    -v Verbose mode (forces -o)

     

    -k Skip bundles with more than certs (default=20)

     

    -f file Check

     

    -d dir Check all files in /ssl.crt

     

     

    Only one of these options may be specified:

     

    -s log to syslog LOCAL0.WARNING (default)

     

    -o log to stdout

     

    -e log to stderr

     

     

     

     

    Aaron
  • dennypayne's avatar
    dennypayne
    Icon for Employee rankEmployee
    Aug 10, 2009
    You can also use custom SNMP traps to do this, since there is a message you can capture from /var/log/ltm warning about cert expiration.

    The procedure is explained in SOL3727:

    https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html Click here

    My entry in the user_alert.conf file looks like this: 

     
 alert EXPIRING_SSL_CERT "Certificate (.*) in file (.*) will expire on (.*)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.500" }

    The OID is "made up" according to the SOL.

    Denny