Forum Discussion
Eric_Frankenfie
Nimbostratus
NimbostratusGet Profile_Type_Client_SSL from Virtual Server
I am trying to retrieve the client SSL profile from a list of virtual servers, but I am having difficulties. Any help would be greatly appreciated
Here is what I have so far:
Get list of v...
StephanManthey
Nacreous
NacreousHi eric,
thanks to F.Barth for providing an easy to use solution to convert date into standard format. Here is an updated version displaying only virtuals with certs to expire within defined period of time. You can run the script from CLI along with a parameter to specify number of days for warning period (default of 30).!/bin/bash
Script to map virtual server > client-ssl profile > ssl certificate > expiration date
version: 0.02
author: Stephan Manthey
tested for TMOS v10.2.4 only
not supporting certificate bundles
not including chain / intermediate certificates
(TMOS v11 stores certs in filestore and provides tmsh commands for cert data!)
usage:
- copy i.e. to /var/tmp/map_virtual_certs
- run chmod +x /var/tmp/map_virtual_certs
- run command /var/tmp/map_virtual_certs
changes, fixes (v0.02):
- modified date format
- selective output of virtual servers with certs to expire withing warning period
- command line parameter to enter days for warning period (default value: 30)
(i.e. ./map_virtual_certs 60)
enable debugging (set -x)
set -x
set number of days to warn
remainingdays=$1
if [ -z ${remainingdays} ]
then
remainingdays=30
fi
remainingseconds=$((${remainingdays} * 86400))
get current date
currdate=`date +%s`
set warning time period
warningtime=$((${currdate} + ${remainingseconds}))
create sed dictionary to map certificates and expiration date
for cert in /config/ssl/ssl.crt/*.crt
do
echo -n "$cert" | sed -r 's/config/ssl/ssl.crt/g;s/(.*)/s;\1;;\1;/g'
openssl x509 -noout -enddate -in $cert | awk -F '=' '{print $2}' | \
xargs -I{} date -d {} +%Y/%m/%d | sed -r 's/$/;g/g'
done > /var/tmp/ssl-cert-exp-dict
verify cert expiration within warning time period
for cert in /config/ssl/ssl.crt/*.crt
do
expirationtime=`openssl x509 -enddate -in $cert | awk -F '=' '{print $2}' | xargs -I{} date -d {} +%s`
if [ "${expirationtime}" -lt "${warningtime}" ]
then
echo ";$cert;" | sed -r 's/config/ssl/ssl.crt/g;'
fi
done > /var/tmp/ssl-cert-warning-list
create list of client-ssl profiles
tmsh list ltm profile client-ssl | \
awk '/^ltm profile client-ssl/ {print ";" $4 ";"}' > /var/tmp/client-ssl-list
create sed dictionary to map client-ssl profiles and used certs
tmsh list ltm profile client-ssl cert | tr -d "\n{" | tr "}" "\n" | \
tr -s '[[:blank:]]' | awk '{print "s/;" $4 ";/;" $4 ";" $6 ";/g"}' > /var/tmp/client-ssl-cert-dict
create sed dictionary to replace profile list in virtual servers by client-ssl profiles only
tmsh list ltm profile client-ssl | \
awk '/^ltm profile client-ssl/ {print "s/^([^;]+).*;" $4 ";.*$/\\1;" $4 ";/g"}' > /var/tmp/client-ssl-dict
apply dictionaries to virtual servers
tmsh list ltm virtual profiles | grep -vE '^[[:blank:]]+(profiles \{|\}|context)' | \
tr -d "\n\{" | tr "}" "\n" | tr -s '[[:blank:]]' | \
sed -r 's/^ltm virtual //g;s/[[:blank:]]$//g;s/$/;/g' | tr '[[:blank:]]' ';' | \
grep -f /var/tmp/client-ssl-list | sed -r -f /var/tmp/client-ssl-dict | \
sed -r -f /var/tmp/client-ssl-cert-dict | grep -f /var/tmp/ssl-cert-warning-list | \
sed -r -f /var/tmp/ssl-cert-exp-dict
remove temp files
rm -f /var/tmp/ssl-cert-exp-dict /var/tmp/client-ssl-list /var/tmp/client-ssl-cert-dict \
/var/tmp/client-ssl-dict /var/tmp/ssl-cert-warning-list 2>/dev/null
Thanks, Stephan
PS: Designed to work on v10 only!
