Forum Discussion

Pradeep_menon_1's avatar
Pradeep_menon_1
Icon for Nimbostratus rankNimbostratus
Jan 04, 2016

How to identify which SSl certificate client is associated to which VIP ? Is there any command for this?

I Need to identify all in VIP's certificate ie. which ssl Clent certificate is been installed in each VIP.

 

application delivery
LTM

1 Reply

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Jan 04, 2016

    If you're on v11.4 or newer and can user iControlRest and also are on a Windows machine with PowerShell v3 or newer, you could use this script to get a list of them. Paste it into PowerShell and you should be prompted for credentials (admin credentials necessary) and then it should spit out a list of virtuals and the client and server ssl profiles associated with them.

    function Get-F5VipsAndSslProfiles($f5HostIp, $f5Cred, [switch]$IgnoreCertErrors = $false) {
    $f5Host = "https://$f5HostIp/mgmt/tm";

    if ($IgnoreCertErrors) {
        Add-Type @"
            using System.Net;
            using System.Security.Cryptography.X509Certificates;
            public class TrustAllCertsPolicy : ICertificatePolicy {
                public bool CheckValidationResult(
                    ServicePoint srvPoint, X509Certificate certificate,
                    WebRequest request, int certificateProblem) {
                    return true;
                }
            }
"@;
        [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy;
    }

    $sslProfilesClient = $(Invoke-RESTMethod -Method GET -Uri "$($f5Host)/ltm/profile/client-ssl?`$select=name,partition,fullPath" -Credential $f5Cred).items | Select-Object -ExpandProperty FullPath;
    $sslProfilesServer = $(Invoke-RESTMethod -Method GET -Uri "$($f5Host)/ltm/profile/server-ssl?`$select=name,partition,fullPath" -Credential $f5Cred).items | Select-Object -ExpandProperty FullPath;
    $virtualServers    = $(Invoke-RESTMethod -Method GET -Uri "$($f5Host)/ltm/virtual?expandSubcollections=true&`$select=name,partition,fullPath,profilesReference" -Credential $f5Cred);

    $virtualServers.items | Select-Object Name, FullPath, `
                                    @{Name="ClientSslProfiles"; Expression={($_.profilesReference.items | ?{ $sslProfilesClient -contains $_.fullPath -and $_.context -eq "clientside" }) | Select -ExpandProperty fullPath }}, `
                                    @{Name="ServerSslProfiles"; Expression={($_.profilesReference.items | ?{ $sslProfilesServer -contains $_.fullPath -and $_.context -eq "serverside" }) | Select -ExpandProperty fullPath }};
}

$cred = $(Get-Credential);
 Replace x.x.x.x with the IP or hostname of you BIGIP
Get-F5VipsAndSslProfiles "x.x.x.x" $cred -IgnoreCertErrors;