Forum Discussion

cathy_123's avatar
cathy_123
Icon for Cirrostratus rankCirrostratus
Jan 21, 2025

Certificate expiry monitoring

Hello Everyone!

 

Would like to ask how you monitor your certs in your F5s? we would like to monitor the certificate expiry on our F5. I am checking our logs on ltm but it seems that the normal certs are not being logged. I only see cert bundles. Can you share how you monitor the certs expiry on f5?

  • f51's avatar
    f51
    Icon for Cirrocumulus rankCirrocumulus

    Try - Sending an advance email alert for impending SSL certificate expiration


    https://my.f5.com/manage/s/article/K15288 

     

    If you have an F5 BIG-IQ device, it offers centralized management and monitoring of your F5 devices, including SSL certificates. BIG-IQ can send alerts when certificates are about to expire.

    https://techdocs.f5.com/kb/en-us/products/big-iq-centralized-mgmt/manuals/product/bigiq-central-mgmt-device-5-0-0/6.html 

     

    You can write custom scripts (e.g., in Python or Bash) that periodically query the F5 device for certificate information using the iControl REST API. These scripts can then send notifications via email, Slack, or other messaging services when a certificate is nearing its expiry date. Here's a simple example in Python:

    import requests
    from requests.auth import HTTPBasicAuth

    f5_ip = '<F5-IP>'
    username = 'admin'
    password = 'password'

    response = requests.get(f'https://{f5_ip}/mgmt/tm/sys/file/ssl-cert', auth=HTTPBasicAuth(username, password), verify=False)
    certs = response.json().get('items', [])

    for cert in certs:
        cert_name = cert['name']
        expiration_date = cert['expirationDate']
        print(f"Certificate {cert_name} expires on {expiration_date}")

  • For starters, you can keep the F5 bundle updated regularly by configuring the update interval on newer BIG-IP software versions: https://my.f5.com/manage/s/article/K000132397. This is not enabled by default, and I usually update the F5 bundle on any F5 software upgrade.

    You can retrieve a list of expired SSL certificates via API calls. Please take a look at the following: https://my.f5.com/manage/s/article/K000092658#api. If you have a management system running Linux, you could easily use Python to write a script and email out a weekly report for example of active SSL certificates and how many days are remaining until expiration.