Generate logs on two-way client authentication SSL certs expired or close to expiring?
I've been tasked with coming up with a way to monitor client certificate expiration status without the f5 holding the client cert (which obviously would be the easiest way to check cert expiration status). Basically, the clients are external customers that we can't import their private client certs into the f5 to check their expiration status. We currently use an irule to verify the client authentication of their cert, but if it expires we aren't notified (nor is the client) until a while after the cert has expired and someone noticed the connection failures. I've been doing some preliminary research and it appears that through an iRule we can check the expiration date of the cert and possibly send it to a log or syslog for alerts? Ideally, the f5 notification would be two-fold:
1) Log and send an alert when the client cert is less then 30 days to expiration. 2) Log and send an alert when the client cert has expired.
Here's the current iRule we're using:
when CLIENTSSL_CLIENTCERT {
Check if client provided a cert if {[SSL::cert 0] eq ""}{ log "Client Certificate Missing" reject } else { set subject_dn [string tolower [X509::subject [SSL::cert 0]]] set expiration_dn [X509::not_valid_after [SSL::cert 0]] log "Client Certificate Received: $subject_dn --- $expiration_dn" if { ([class match $subject_dn contains progressive_cn_list]) } { Accept the client cert log "Client Certificate Accepted: $subject_dn [SSL::cert count]" } else { log "Client Certificate Mismatch: $subject_dn [SSL::cert count]" reject } } }
And I found the following F5 KB on X509 commands, I'm presuming we could use a combination of X509::not_valid_after for expiration, and maybe another conditional check with some sort of X509::not_valid_after < 30 "from_present_date" code to alert when the cert is less then 30 days. Do you guys have any suggestions?
Thanks!
CH