Forum Discussion

Ohge_15615's avatar
Ohge_15615
Icon for Nimbostratus rankNimbostratus
Jul 11, 2011

ClientSSLProfile cert exiration date?

I am looking for a way to get the expiration dates of Client SSL Profile certificates. Currently I am able to get a list of the certs from polling GetInterface("LocalLB", "ProfileClientSSL")->get_certificate_file method, but the certs shown do not appear in the cert details when I poll GetInterface("Management", "KeyCertificate")->get_certificate_list

 

 

Any suggestions or clarifications on how this could be achieved?

 

 

THANKS!

 

  • John_Gruber_432's avatar
    John_Gruber_432
    Historic F5 Account
    The expiration information is part of the certificate. The iControl functions are there to manage the placement of the certificates on the BIG-IP and building SSL profiles with them.

     

     

    You could use iControl to download the all certificate files and then decode the certificates looking at their expiration dates off box.

     

     

    Alternatively, openssl is on the BIG-IP and can read the certificates. You could do a tmsh report and email it to youself in a cron job on the BIG-IP.

     

     

    http://devcentral.f5.com/wiki/default.aspx/tmsh/CertificateReport.html

     

     

    Lastly, Enterprise Manager does this for you if you are looking for a canned solution.

     

     

    Hope that helped.
  • Thank you for the quick reply John! I am able to pull expiration data directly from the LB's for the .crt files, much like that example report builder you provided in your link, but the .cert files utilized by SSLClientProfiles do not show up in the results. I will start looking in to pulling the certs from the lb and decoding them with openssl, but my company is still really hoping there is an API based solution to accomplish this.