Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

steven_normole's avatar
steven_normole
Icon for Cirrus rankCirrus
May 25, 2025

Extract info from client ssl profile

I am needing to be able to loop through each client ssl profile and write the profile name and the information cert, chain, and key from  the cert-key-chain.  I just cannot get to work. I thought wo...
cloud
steven_normole's avatar
steven_normole
Icon for Cirrus rankCirrus
May 25, 2025

when i list client-ssl profiles i noticed that some profiles have cert right after app-service, while other client profiles cert-key-chain.  Any idea on why,  i don't see anything.

(tmos)# list ltm profile client-ssl bantam.dcpds.cpms_cs
ltm profile client-ssl bantam.dcpds.cpms_cs {
    app-service none
    cert bantam.dcpds.cpms.osd.mil_10_10_2025
    cert-key-chain {
        bantam.dcpds.cpms.osd_ALL_CA_CERTS_BUNDLE-21AUGUST2024_0 {
            cert bantam.dcpds.cpms.osd.mil_10_10_2025
            chain ALL_CA_CERTS_BUNDLE-21AUGUST2024
            key bantam.dcpds.cpms.osd.mil_10_10_2025
        }
    }
    defaults-from clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain false
    key bantam.dcpds.cpms.osd.mil_10_10_2025
    options { dont-insert-empty-fragments no-tlsv1.3 no-tlsv1.1 no-dtlsv1.2 no-sslv3 no-tlsv1 }
}

(tmos)# list ltm profile client-ssl bantamemp.dcpds.cpms_cs
ltm profile client-ssl bantamemp.dcpds.cpms_cs {
    app-service none
    cert-key-chain {
        bantamemp.dcpds.cpms.osd_ALL_CA_CERTS_BUNDLE-07October2024_0 {
            cert bantamemp.dcpds.cpms.osd.mil-2022
            chain ALL_CA_CERTS_BUNDLE-07October2024
            key bantamemp.dcpds.cpms.osd.mil-2022
        }
    }
    defaults-from clientssl
    inherit-ca-certkeychain true
    inherit-certkeychain false
    options { dont-insert-empty-fragments no-tlsv1.3 no-tlsv1.1 no-dtlsv1.2 no-sslv3 no-tlsv1 }
}

 

 

 

Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for MVP rankMVP
May 25, 2025

I had used a similar ps1 script in the past
with liitle modifaction I see it works for what you want but verify yourself also

# Variables
$f5Host = "https://<BIGIP-IP>"         # ← Change to your F5 management IP or hostname
$username = "admin"
$password = "password"			  	   # ← Change to your F5 admin password

# Disable SSL verification (equivalent to curl -k)
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

# Encode credentials
$pair = "${username}:${password}"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$headers = @{ Authorization = "Basic $encodedCreds" }

# Get list of client-ssl profiles
$response = Invoke-RestMethod -Uri "$f5Host/mgmt/tm/ltm/profile/client-ssl" -Headers $headers -Method Get

# Loop through each profile and get cert-key info
foreach ($profile in $response.items) {
    Write-Output "Profile: $($profile.name)"

    # Set name
	$name = $profile.name

    # Get full details of the profile
    $detail = Invoke-RestMethod -Uri "$f5Host/mgmt/tm/ltm/profile/client-ssl/$name" -Headers $headers -Method Get

    foreach ($ckc in $detail.certKeyChain) {
        Write-Output "  Cert:  $($ckc.cert)"
        Write-Output "  Key:   $($ckc.key)"
        Write-Output "  Chain: $($ckc.chain)"
    }

    Write-Output ""
}


*just for the record the original script have been provided by one of my colleagues in the past