Forum Discussion
kridsana_52318
Nimbostratus
NimbostratusHow to Alert before SSL Certificate expire?
Hi Everybody
I have experience issue SSL Certificate is expired. and I don't know it expire today.
Can we set BIG-IP to email Alert before SSL Certificate expire?
How to do that?
...
Kevin_Stewart
Employee
EmployeeThese are all good options, but if you don't have Enterprise Manager (the BEST option in my opinion) and your CA can't send you an email, I think there's nothing better that a script. Take a look at this one:
! /bin/bash
set acceptable threshold in seconds (172800 seconds = 2 days)
threshold=25920000
get today's date
this_date=`date +%s`
(IFS='
'
loop through the stored certificates
output=`tmsh list / sys crypto one-line |grep "sys crypto cert"`
for f in ${output}
do
cert=`echo $f |awk -F" " '{ print $4 }'`
certdate=`expr match "$f" '.*\(expiration.*organization\)' |sed s/expiration// | sed s/organization//`
expires=`date -d $certdate +%s`
if [ $this_date -ge $(($expires - $threshold)) ]
then
expires_when=$(((expires - $this_date) / 60 / 60 / 24))
echo "$cert is about to expire in $expires_when days"
additional processing for expiring certs goes here
fi
done)
This should work for any v11 system. You'll need to make a few modifications/additions:
-
Set a valid threshold value in seconds (172800 seconds = 2 days)
-
Add whatever additional functions you need to happen on cert expiring (ie. mail notice, etc.)
-
Create an external monitor, bind this script to the monitor, and then bind the monitor to a "dummy" pool of servers - a pool not defined in any virtual server configuration. Doing this allows the monitor to fire on a schedule (like a cron job), but is also saved in the archive (unlike a cron job).