For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

swapnil1's avatar
swapnil1
Icon for Nimbostratus rankNimbostratus
May 24, 2019

How to search non expired certs list and grep a particular common name in the list

I tried following command but it does not allow me to grep a particular common name. Any ideas ?

 

tmsh -c 'cd /; run /sys crypto check-cert verbose enabled'

BIG-IP
cloud
LTM
TMSH

1 Reply

  • Cory_Blankenshi's avatar
    Cory_Blankenshi
    Icon for Altostratus rankAltostratus
    May 24, 2019

    Is it possible to use the iControl Rest API? You could send a GET to...

    https://your.f5.com/mgmt/tm/sys/file/ssl-cert?$select=name,subject,expirationString

    ...and search through those results.

    Is Python an option? This would do the trick...

    import requests
from datetime import datetime as dt
from requests.auth import HTTPBasicAuth
import urllib3
 
urllib3.disable_warnings()
 
# Certificate Rest API endpoint
bigip = 'https://your.f5.com/mgmt/tm/sys/file/ssl-cert'
 
# Selectors to get name, subject, and expiration date
querystring = {"$select": "name,subject,expirationString"}
 
headers = {'Content-Type': "application/json"}
 
response = requests.request('GET',
                            bigip,
                            params=querystring,
                            headers=headers,
                            auth=HTTPBasicAuth('un', 'pw'),
                            verify=False)
 
currentdt = dt.now()
for cert in response.json()['items']:
    certname = cert['name']
    certsubj = cert['subject']
    certexpdt = cert['expirationString']
 
    # Need to convert the expiration date to datetime object
    expdt = dt.strptime(certexpdt, '%b %d %H:%M:%S %Y %Z')
 
    if currentdt <= expdt and 'my_cn' in certsubj:
        print("NAME: %s" % certname)
        print("SUBJECT: %s" % certsubj)
        print("EXPIRATION: %s\n" % certexpdt)