Check bundle certificate expiration date

While it's not as simple as an openssl command, I did find this site that was of use in trying to do this. It requires creating and executing a perl script to splt the bundle and run openssl on each certificate in there.

I modified the file to output only what was necessary (expiration dates). So basically, I just changed

print 'echo "$thisfile" | openssl x509 -noout -text';

to

print 'echo "$thisfile" | openssl x509 -noout -subject -dates';

Works pretty well for me.

Thanks a lot Michael for your answer.

 

I have found also this site, but I thought that there is maybe a different (easier) solution. As we can see them easily in GUI, F5 is using (maybe) a different method?

 

What we will try perhaps, is to implement this in an iControl API. I hope it will work well.

 

I will update this thread with the result and maybe other details when we will implement it.

 

Regards,

 

Hi MickeyM,

here is a solution which is splitting the original bundle (stored in /var/tmp/ca-bundle.crt for the example) as well into multiple files and runs the openssl verification:

awk '/-+BEGIN CERTIFICATE-+/,/-+END CERTIFICATE-+/ {print}' /var/tmp/ca-bundle.crt | \
awk '/-+BEGIN CERTIFICATE-+/ {file="cafile_"++i;} {print > "/var/tmp/"file".tmp";}'

for cert in /var/tmp/cafile_*.tmp; do openssl x509 -noout -subject -enddate -in $cert; done

rm -f /var/tmp/cafile_*.tmp

Temp files were stored as /var/tmp/cafile_.tmp and need to be deleted after test.

Thanks, Stephan

PS: Kudos go to the guys at "theunixschool" for some pretty helpful awk-examples.