Forum Discussion

Rishabh_Wangu_3's avatar
Rishabh_Wangu_3
Icon for Nimbostratus rankNimbostratus
Jan 17, 2018

Certificate status on F5

Im using this command tmsh list sys file ssl-cert expiration-string to check the certification status on the BIG-IP 12.1.0

 

Is there a way by which we can reduce the output so that it only shows the certificates expiring in next month or for a defined period of time ?

 

application delivery
LTM
TMSH

3 Replies

  • BigD_300005's avatar
    BigD_300005
    Icon for Cirrostratus rankCirrostratus
    Jan 17, 2018

    You could use the GUI if the CLI outputs to much info.

     

    System > File Management > SSL Certificate List. Then sort by Expiration date.

     

    • Rishabh_Wangu_3's avatar
      Rishabh_Wangu_3
      Icon for Nimbostratus rankNimbostratus
      Jan 18, 2018

      Im actually looking to do it from CLI,

       

      From CLI i want to automate this command for every month and then automate a report which shows the certificates expiring next month.

       

  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Jan 18, 2018

    Hello Rishabh,

    You can use the "check-cert" command. It "examines the expiration date of each certificate stored on the BIG-IP system, including CA bundles. By default, the check-cert command checks for SSL certificates that have expired or will expire within 30 days."

    Check this article:

    https://support.f5.com/csp/article/K14318

    So you can run the following command that gives you expired certificates PLUS certificate expiring in 30 days. If you want to limit it to certificate that will expire in 30 days you can use a simple grep. Like that : 

    tmsh run /sys crypto check-cert | grep "expire "

    PLease give me a feedback

    Regards