Forum Discussion

Eric_Frankenfie's avatar
Eric_Frankenfie
Icon for Nimbostratus rankNimbostratus
Feb 25, 2015

Get Profile_Type_Client_SSL from Virtual Server

I am trying to retrieve the client SSL profile from a list of virtual servers, but I am having difficulties. Any help would be greatly appreciated   Here is what I have so far:   Get list of v...
client ssl profile
devops
iControl
powershell
StephanManthey's avatar
StephanManthey
Icon for MVP rankMVP
Feb 26, 2015

Hi eric,

thanks to F.Barth for providing an easy to use solution to convert date into standard format.

Here is an updated version displaying only virtuals with certs to expire within defined period of time.

You can run the script from CLI along with a parameter to specify number of days for warning period (default of 30). 
!/bin/bash
 Script to map virtual server > client-ssl profile > ssl certificate > expiration date
 version: 0.02
 author: Stephan Manthey
 tested for TMOS v10.2.4 only
 not supporting certificate bundles
 not including chain / intermediate certificates
 (TMOS v11 stores certs in filestore and provides tmsh commands for cert data!)
 usage: 
 - copy i.e. to /var/tmp/map_virtual_certs
 - run chmod +x /var/tmp/map_virtual_certs
 - run command /var/tmp/map_virtual_certs
 changes, fixes (v0.02): 
 - modified date format
 - selective output of virtual servers with certs to expire withing warning period
 - command line parameter to enter days for warning period (default value: 30)
   (i.e. ./map_virtual_certs 60)

 enable debugging (set -x)
 set -x

 set number of days to warn
remainingdays=$1
if [ -z ${remainingdays} ]
then
   remainingdays=30
fi

remainingseconds=$((${remainingdays} * 86400)) 

 get current date
currdate=`date +%s`

 set warning time period
warningtime=$((${currdate} + ${remainingseconds}))

 create sed dictionary to map certificates and expiration date
for cert in /config/ssl/ssl.crt/*.crt
do
    echo -n "$cert" | sed -r 's/config/ssl/ssl.crt/g;s/(.*)/s;\1;;\1;/g'
    openssl x509 -noout -enddate -in $cert | awk -F '=' '{print $2}' | \
    xargs -I{} date -d {} +%Y/%m/%d | sed -r 's/$/;g/g'
done > /var/tmp/ssl-cert-exp-dict

 verify cert expiration within warning time period
for cert in /config/ssl/ssl.crt/*.crt
do
    expirationtime=`openssl x509 -enddate -in $cert | awk -F '=' '{print $2}' | xargs -I{} date -d {} +%s`
    if [ "${expirationtime}" -lt "${warningtime}" ]
    then
        echo ";$cert;" | sed -r 's/config/ssl/ssl.crt/g;'
    fi
done > /var/tmp/ssl-cert-warning-list

 create list of client-ssl profiles 
tmsh list ltm profile client-ssl | \
awk '/^ltm profile client-ssl/ {print ";" $4 ";"}' > /var/tmp/client-ssl-list

 create sed dictionary to map client-ssl profiles and used certs
tmsh list ltm profile client-ssl cert | tr -d "\n{" | tr "}" "\n" | \
tr -s '[[:blank:]]' | awk '{print "s/;" $4 ";/;" $4 ";" $6 ";/g"}' > /var/tmp/client-ssl-cert-dict

 create sed dictionary to replace profile list in virtual servers by client-ssl profiles only
tmsh list ltm profile client-ssl | \
awk '/^ltm profile client-ssl/ {print "s/^([^;]+).*;" $4 ";.*$/\\1;" $4 ";/g"}' > /var/tmp/client-ssl-dict 

 apply dictionaries to virtual servers
tmsh list ltm virtual profiles | grep -vE '^[[:blank:]]+(profiles \{|\}|context)' | \
tr -d "\n\{" | tr "}" "\n" | tr -s '[[:blank:]]' | \
sed -r 's/^ltm virtual //g;s/[[:blank:]]$//g;s/$/;/g' | tr '[[:blank:]]' ';' | \
grep -f /var/tmp/client-ssl-list | sed -r -f /var/tmp/client-ssl-dict | \
sed -r -f /var/tmp/client-ssl-cert-dict | grep -f /var/tmp/ssl-cert-warning-list | \
sed -r -f /var/tmp/ssl-cert-exp-dict

 remove temp files
rm -f /var/tmp/ssl-cert-exp-dict /var/tmp/client-ssl-list /var/tmp/client-ssl-cert-dict \
/var/tmp/client-ssl-dict /var/tmp/ssl-cert-warning-list 2>/dev/null

Thanks, Stephan

PS: Designed to work on v10 only!