Extract info from client ssl profile

I agree and I usually use the one-line and just print what field i needed.  What I encountered was the profiles output was different on some of the client ssl profiles.

The two profiles listed below shows the output is not the same.

ltm profile client-ssl bantam.dcpds.cpms_cs { app-service none cert bantam.dcpds.cpms.osd.mil_10_10_2025 cert-key-chain { bantam.dcpds.cpms.osd_ALL_CA_CERTS_BUNDLE-21AUGUST2024_0 { cert bantam.dcpds.cpms.osd.mil_10_10_2025 chain ALL_CA_CERTS_BUNDLE-21AUGUST2024 key bantam.dcpds.cpms.osd.mil_10_10_2025 } } defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain false key bantam.dcpds.cpms.osd.mil_10_10_2025 options { dont-insert-empty-fragments no-tlsv1.3 no-tlsv1.1 no-dtlsv1.2 no-sslv3 no-tlsv1 } }

ltm profile client-ssl bantamemp.dcpds.cpms_cs { app-service none cert-key-chain { bantamemp.dcpds.cpms.osd_DoD_CA_Intermediate_Bundle_27May2025_0 { cert bantamemp.dcpds.cpms.osd.mil-2022 chain DoD_CA_Intermediate_Bundle_27May2025 key bantamemp.dcpds.cpms.osd.mil-2022 } } defaults-from clientssl inherit-ca-certkeychain true inherit-certkeychain false options { dont-insert-empty-fragments no-tlsv1.3 no-tlsv1.1 no-dtlsv1.2 no-sslv3 no-tlsv1 } }

Since I did it half-way, I can also do it completely

[root@awaf:Active:Standalone] config # tmsh list ltm profile client-ssl key cert chain | sed -z 's/{\n\([^}]*\)\n*}/{\1}/g; s/\n/ /g; s/} */}\n/g' | awk '/^ltm profile client-ssl/ {name = $4; cert = chain = key = ""; for (i = 5; i <= NF; i++) {if ($i == "cert") cert = $(i+1); if ($i == "chain") chain = $(i+1); if ($i == "key") key = $(i+1)} printf "%s cert=%s chain=%s key=%s\n", name, cert, chain, key}'
clientssl cert=default.crt chain=none key=default.key
clientssl-insecure-compatible cert=default.crt chain=none key=default.key
clientssl-quic cert=default.crt chain=none key=default.key
clientssl-secure cert=default.crt chain=none key=default.key
crypto-server-default-clientssl cert=default.crt chain=none key=default.key
splitsession-default-clientssl cert=default.crt chain=none key=default.key
wom-default-clientssl cert=default.crt chain=none key=default.key

I had used a similar ps1 script in the past
with liitle modifaction I see it works for what you want but verify yourself also

# Variables
$f5Host = "https://<BIGIP-IP>"         # ← Change to your F5 management IP or hostname
$username = "admin"
$password = "password"			  	   # ← Change to your F5 admin password

# Disable SSL verification (equivalent to curl -k)
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

# Encode credentials
$pair = "${username}:${password}"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))
$headers = @{ Authorization = "Basic $encodedCreds" }

# Get list of client-ssl profiles
$response = Invoke-RestMethod -Uri "$f5Host/mgmt/tm/ltm/profile/client-ssl" -Headers $headers -Method Get

# Loop through each profile and get cert-key info
foreach ($profile in $response.items) {
    Write-Output "Profile: $($profile.name)"

    # Set name
	$name = $profile.name

    # Get full details of the profile
    $detail = Invoke-RestMethod -Uri "$f5Host/mgmt/tm/ltm/profile/client-ssl/$name" -Headers $headers -Method Get

    foreach ($ckc in $detail.certKeyChain) {
        Write-Output "  Cert:  $($ckc.cert)"
        Write-Output "  Key:   $($ckc.key)"
        Write-Output "  Chain: $($ckc.chain)"
    }

    Write-Output ""
}

*just for the record the original script have been provided by one of my colleagues in the past