For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

George_32256's avatar
George_32256
Icon for Nimbostratus rankNimbostratus
Mar 12, 2007

Checking for Certificate Expiration at Configurable Intervals and Sending Emails

Is there are way on BigIP 4.x and 9.x to check for soon-to-be expiring SSL certificates and then send emails at configurable intervals as the expiration date approaches? I've seen mention of SSL::veri...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Mar 13, 2007
Are you wanting to send an alert when a client cert is about to expire or when a VIP's cert is about to expire?

 

 

If it's a server cert, that should be logged to /var/log/ltm as of 9.1.2, per CR59595:

 

 

 

https://tech.f5.com/home/bigip-next/releasenotes/relnotes9_1_2.htmlenhancement

 

 

Certificate monitoring for expired or soon-to-be-expired certificates (CR59595)

 

The system now includes certificate monitoring to detect expired or soon-to-be expired certificates. Certificate status is now logged in /var/log/ltm, using the following format:

 

 

Certificate X in file Y expired on DATE

 

 

Certificate X in file Y will expire on DATE

 

 

This feature provides compatibility with BIG-IP 4.6 in this regard.

 

 

 

 

If you want to send an alert for a client cert, you'd need to extract the expiry date and client's email from the SSL info and then log an entry to /var/log/ltm.

 

 

You could then set up syslog-ng to send an email when such a log event occurs.

 

 

I'm not sure sending an email would be possible in 4.x, but you might try posting in the 4.x iRule forum to get more info.

 

 

Aaron