Forum Discussion
Generate logs on two-way client authentication SSL certs expired or close to expiring?
I've been tasked with coming up with a way to monitor client certificate expiration status without the f5 holding the client cert (which obviously would be the easiest way to check cert expiration status). Basically, the clients are external customers that we can't import their private client certs into the f5 to check their expiration status. We currently use an irule to verify the client authentication of their cert, but if it expires we aren't notified (nor is the client) until a while after the cert has expired and someone noticed the connection failures. I've been doing some preliminary research and it appears that through an iRule we can check the expiration date of the cert and possibly send it to a log or syslog for alerts? Ideally, the f5 notification would be two-fold:
1) Log and send an alert when the client cert is less then 30 days to expiration. 2) Log and send an alert when the client cert has expired.
Here's the current iRule we're using:
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert if {[SSL::cert 0] eq ""}{ log "Client Certificate Missing" reject } else { set subject_dn [string tolower [X509::subject [SSL::cert 0]]] set expiration_dn [X509::not_valid_after [SSL::cert 0]] log "Client Certificate Received: $subject_dn --- $expiration_dn" if { ([class match $subject_dn contains progressive_cn_list]) } { Accept the client cert log "Client Certificate Accepted: $subject_dn [SSL::cert count]" } else { log "Client Certificate Mismatch: $subject_dn [SSL::cert count]" reject } } }
And I found the following F5 KB on X509 commands, I'm presuming we could use a combination of X509::not_valid_after for expiration, and maybe another conditional check with some sort of X509::not_valid_after < 30 "from_present_date" code to alert when the cert is less then 30 days. Do you guys have any suggestions?
Thanks!
CH
- Kevin_StewartEmployee
Try this:
when CLIENTSSL_CLIENTCERT { Check if client provided a cert if { [SSL::cert 0] eq "" }{ log local0. "Client Certificate Missing" reject } else { set subject_dn [string tolower [X509::subject [SSL::cert 0]]] set expiration_dn [X509::not_valid_after [SSL::cert 0]] expiration checking code set expiration [clock scan $expiration_dn] if { [expr [clock scan "+30 days" -base [clock seconds]] >= $expiration] } { set difference [expr ($expiration - [clock seconds]) / 60 / 60 / 24] log local0. "Cert expiring ($difference days): $subject_dn" } log local0. "Client Certificate Received: $subject_dn --- $expiration_dn" if { ( [class match $subject_dn contains progressive_cn_list] ) } { Accept the client cert log local0. "Client Certificate Accepted: $subject_dn [SSL::cert count]" } else { log local0. "Client Certificate Mismatch: $subject_dn [SSL::cert count]" reject } } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com