Forum Discussion
George_32256
Nimbostratus
NimbostratusChecking for Certificate Expiration at Configurable Intervals and Sending Emails
Is there are way on BigIP 4.x and 9.x to check for soon-to-be expiring SSL certificates and then send emails at configurable intervals as the expiration date approaches? I've seen mention of SSL::verify_result but don't know much about it.
George
1 Reply
hoolioCirrostratus
Are you wanting to send an alert when a client cert is about to expire or when a VIP's cert is about to expire?
If it's a server cert, that should be logged to /var/log/ltm as of 9.1.2, per CR59595:
https://tech.f5.com/home/bigip-next/releasenotes/relnotes9_1_2.htmlenhancement
Certificate monitoring for expired or soon-to-be-expired certificates (CR59595)
The system now includes certificate monitoring to detect expired or soon-to-be expired certificates. Certificate status is now logged in /var/log/ltm, using the following format:
Certificate X in file Y expired on DATE
Certificate X in file Y will expire on DATE
This feature provides compatibility with BIG-IP 4.6 in this regard.
If you want to send an alert for a client cert, you'd need to extract the expiry date and client's email from the SSL info and then log an entry to /var/log/ltm.
You could then set up syslog-ng to send an email when such a log event occurs.
I'm not sure sending an email would be possible in 4.x, but you might try posting in the 4.x iRule forum to get more info.
Aaron
