Forum Discussion
AltostratusMass print of SSL certs and their Virtual Servers/Profiles
I have a fairly onerous task ahead of me and would like some advice please.
I have 11 BigIP to administer and all of them have a "bazillion" SSL certificates. All of those certificates will be attached to something.
Having read this post about Which Virtual Contents are associated with which SSL cert I got to thinking how would I automate this.
So, my question is; Is there a command that will give me each one of the certs with their profiles (and then their servers) that I can put into a text file and start going through each one to see if its still in use or not?
The equiring mind of a desperate F5-er would like to know, or his New Year will be locked in a darkened room running single line commands .. .
nitass_89166Noctilucent
e.g.
// config root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys file ssl-cert certone.crt sys file ssl-cert certone.crt { certificate-key-size 2048 checksum SHA1:1021:6b81a94a572bafe3b3bc25384a4cfe747b5504c0 create-time 2017-12-23:07:21:10 created-by admin expiration-date 1545520870 expiration-string "Dec 22 23:21:10 2018 GMT" issuer CN=certone.local,C=US key-type rsa-public last-update-time 2017-12-23:07:21:10 mode 33188 revision 1 serial-number 251652070 size 1021 source-path /config/ssl/ssl.crt/certone.crt subject CN=certone.local,C=US updated-by admin version 3 } root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl client-ssl-one ltm profile client-ssl client-ssl-one { app-service none cert certone.crt cert-key-chain { certone { cert certone.crt key certone.key } } chain none inherit-certkeychain false key certone.key passphrase none } root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual test-one ltm virtual test-one { destination 1.2.3.4:443 ip-protocol tcp mask 255.255.255.255 profiles { client-ssl-one { context clientside } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 4 } // one-liner script [root@bip1a:Active:In Sync] config for i in `tmsh list sys file ssl-cert one-line |awk '{print $4}'`; do echo "===== cert: $i ===="; for j in `tmsh list ltm profile client-ssl one-line |grep $i |awk '{print $4}'`; do echo "----- profile: $j -----"; for k in `tmsh list ltm virtual one-line |grep $j |awk '{print $3}'`; do echo "virtual: $k"; done; done; echo ""; done ===== cert: ca-bundle.crt ==== ===== cert: certone.crt ==== ----- profile: client-ssl-one ----- virtual: test-one ===== cert: default.crt ==== ----- profile: clientssl ----- ----- profile: clientssl-insecure-compatible ----- ----- profile: clientssl-secure ----- ----- profile: crypto-server-default-clientssl ----- ----- profile: wom-default-clientssl ----- ===== cert: f5-irule.crt ====
Duncan_ProffittYou amazing human being!! I want your babies!!
In other words;
Thank you very much, the one liner is perfect!!
D.
- nitass
Employee
e.g.
// config root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys file ssl-cert certone.crt sys file ssl-cert certone.crt { certificate-key-size 2048 checksum SHA1:1021:6b81a94a572bafe3b3bc25384a4cfe747b5504c0 create-time 2017-12-23:07:21:10 created-by admin expiration-date 1545520870 expiration-string "Dec 22 23:21:10 2018 GMT" issuer CN=certone.local,C=US key-type rsa-public last-update-time 2017-12-23:07:21:10 mode 33188 revision 1 serial-number 251652070 size 1021 source-path /config/ssl/ssl.crt/certone.crt subject CN=certone.local,C=US updated-by admin version 3 } root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl client-ssl-one ltm profile client-ssl client-ssl-one { app-service none cert certone.crt cert-key-chain { certone { cert certone.crt key certone.key } } chain none inherit-certkeychain false key certone.key passphrase none } root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual test-one ltm virtual test-one { destination 1.2.3.4:443 ip-protocol tcp mask 255.255.255.255 profiles { client-ssl-one { context clientside } tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled vs-index 4 } // one-liner script [root@bip1a:Active:In Sync] config for i in `tmsh list sys file ssl-cert one-line |awk '{print $4}'`; do echo "===== cert: $i ===="; for j in `tmsh list ltm profile client-ssl one-line |grep $i |awk '{print $4}'`; do echo "----- profile: $j -----"; for k in `tmsh list ltm virtual one-line |grep $j |awk '{print $3}'`; do echo "virtual: $k"; done; done; echo ""; done ===== cert: ca-bundle.crt ==== ===== cert: certone.crt ==== ----- profile: client-ssl-one ----- virtual: test-one ===== cert: default.crt ==== ----- profile: clientssl ----- ----- profile: clientssl-insecure-compatible ----- ----- profile: clientssl-secure ----- ----- profile: crypto-server-default-clientssl ----- ----- profile: wom-default-clientssl ----- ===== cert: f5-irule.crt ====- Duncan_Proffitt
You amazing human being!! I want your babies!!
In other words;
Thank you very much, the one liner is perfect!!
D.
- Duncan_Proffitt
Just to extend this, how would I get the details off a non-common partition?
- nitass
how would I get the details off a non-common partition?
do you happen to have virtual server which uses clientssl profile from another partition or clientssl profile that uses certificate from another partition? if yes, it will not be recognized by the one-liner script (below). it is because how the script is built (we are filtering virtual server based on clientssl profile based on certificate in specific partition).
there are 4 folders including root.
root@(bip1a)(cfg-sync In Sync)(Active)(/)(tmos) list sys folder |grep sys sys folder / { sys folder Common { sys folder asgard { sys folder jotunheim {each folder except root has its own certificate, clientssl profile and virtual server.
// common root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys file ssl-cert cert-one.crt sys file ssl-cert cert-one.crt { certificate-key-size 2048 checksum SHA1:1013:76f6b8023a53f91defdb335f1df514337070c631 create-time 2017-12-28:21:18:37 created-by admin expiration-date 1546003117 expiration-string "Dec 28 13:18:37 2018 GMT" issuer CN=one.local,C=US key-type rsa-public last-update-time 2017-12-28:21:18:37 mode 33188 revision 1 serial-number 252134317 size 1013 source-path /config/ssl/ssl.crt/cert-one.crt subject CN=one.local,C=US updated-by admin version 3 } root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl clientssl-one cert key ltm profile client-ssl clientssl-one { cert cert-one.crt key cert-one.key } root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual vs-one profiles ltm virtual vs-one { profiles { clientssl-one { context clientside } tcp { context all } } } // asgard root@(bip1a)(cfg-sync In Sync)(Active)(/asgard)(tmos) list sys file ssl-cert cert-heimdall.crt sys file ssl-cert cert-heimdall.crt { certificate-key-size 2048 checksum SHA1:1025:e787e6f665058d1d43d4d7d780ec69014bbfbcc5 create-time 2017-12-28:21:15:19 created-by admin expiration-date 1546002919 expiration-string "Dec 28 13:15:19 2018 GMT" issuer CN=heimdall.local,C=US key-type rsa-public last-update-time 2017-12-28:21:15:19 mode 33188 partition asgard revision 1 serial-number 252134119 size 1025 source-path /config/ssl/ssl.crt/cert-heimdall.crt subject CN=heimdall.local,C=US updated-by admin version 3 } root@(bip1a)(cfg-sync In Sync)(Active)(/asgard)(tmos) list ltm profile client-ssl clientssl-heimdall cert key ltm profile client-ssl clientssl-heimdall { cert cert-heimdall.crt key cert-heimdall.key } root@(bip1a)(cfg-sync In Sync)(Active)(/asgard)(tmos) list ltm virtual vs-heimdall profiles ltm virtual vs-heimdall { profiles { /Common/tcp { context all } clientssl-heimdall { context clientside } } } // jotunheim root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list sys file ssl-cert loki-cert.crt sys file ssl-cert loki-cert.crt { certificate-key-size 2048 checksum SHA1:1013:bbf5b8a4020b415690e6f87a1c6d8222d6aa4a7d create-time 2017-12-28:21:16:09 created-by admin expiration-date 1546002969 expiration-string "Dec 28 13:16:09 2018 GMT" issuer CN=loki.local,C=US key-type rsa-public last-update-time 2017-12-28:21:16:09 mode 33188 partition jotunheim revision 1 serial-number 252134169 size 1013 source-path /config/ssl/ssl.crt/loki-cert.crt subject CN=loki.local,C=US updated-by admin version 3 } root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list ltm profile client-ssl clientssl-loki cert key ltm profile client-ssl clientssl-loki { cert loki-cert.crt key loki-cert.key } root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list ltm virtual vs-loki profiles ltm virtual vs-loki { profiles { /Common/tcp { context all } clientssl-loki { context clientside } } }but this jotunheim folder has special virtual server/clientssl profile which refers to certificate in common folder. this virtual server/clientssl profile will not be flagged by the one-liner script below.
root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list ltm virtual vs-special profiles ltm virtual vs-special { profiles { /Common/tcp { context all } clientssl-special { context clientside } } } root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list ltm profile client-ssl clientssl-special cert key ltm profile client-ssl clientssl-special { cert /Common/cert-one.crt key /Common/cert-one.key }the one-liner script
[root@bip1a:Active:In Sync] config for p in `tmsh -c "cd /; list sys folder one-line" |awk '{if($3~/^\//) {print $3; next} {print "/" $3}}'`; do echo "===== partition: $p ====="; for i in `tmsh -c "cd $p; list sys file ssl-cert one-line" |awk '{print $4}'`; do echo "----- cert: $i -----"; for j in `tmsh -c "cd $p; list ltm profile client-ssl one-line" |grep $i\ |awk '{print $4}'`; do echo "***** profile: $j *****"; for k in `tmsh -c "cd $p; list ltm virtual one-line" |grep $j\ |awk '{print $3}'`; do echo "..... virtual: $k ....."; echo ""; done; done; done; echo ""; done ===== partition: / ===== ===== partition: /Common ===== ----- cert: ca-bundle.crt ----- ----- cert: cert-one.crt ----- ***** profile: clientssl-one ***** ..... virtual: vs-one ..... ----- cert: default.crt ----- ***** profile: clientssl ***** ***** profile: clientssl-insecure-compatible ***** ***** profile: clientssl-secure ***** ***** profile: crypto-server-default-clientssl ***** ***** profile: wom-default-clientssl ***** ----- cert: f5-irule.crt ----- ===== partition: /asgard ===== ----- cert: cert-heimdall.crt ----- ***** profile: clientssl-heimdall ***** ..... virtual: vs-heimdall ..... ===== partition: /jotunheim ===== ----- cert: loki-cert.crt ----- ***** profile: clientssl-loki ***** ..... virtual: vs-loki ..... - nitass_89166
how would I get the details off a non-common partition?
i have another idea which uses icontrol rest and jq. since icontrol rest is not limited to single partition. all virtual servers and clientssl profiles should be recognized even it uses configuration object from another partition.
[root@bip1a:Active:In Sync] config for i in `curl -sk -u admin:admin https://localhost/mgmt/tm/sys/file/ssl-cert |jq '.items[]|{fullPath}' |awk '/fullPath/ {print $2}'`; do echo "===== cert: $i ====="; for j in `curl -sk -u admin:admin https://localhost/mgmt/tm/ltm/profile/client-ssl |jq ".items[]|select(.cert==$i)|{fullPath}" |awk '/fullPath/ {print $2}'`; do echo "----- profile: $j -----"; for k in `curl -sk -u admin:admin https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true |jq ".items[]|select(.profilesReference.items[].fullPath==$j)|{fullPath}" |awk '/fullPath/ {print $2}'`; do echo "virtual: $k"; echo ""; done; done; echo ""; done ===== cert: "/Common/ca-bundle.crt" ===== ===== cert: "/Common/cert-one.crt" ===== ----- profile: "/Common/clientssl-one" ----- virtual: "/Common/vs-one" ----- profile: "/jotunheim/clientssl-special" ----- virtual: "/jotunheim/vs-special" ===== cert: "/Common/default.crt" ===== ----- profile: "/Common/clientssl" ----- ----- profile: "/Common/clientssl-insecure-compatible" ----- ----- profile: "/Common/clientssl-secure" ----- ----- profile: "/Common/crypto-server-default-clientssl" ----- ----- profile: "/Common/wom-default-clientssl" ----- ===== cert: "/Common/f5-irule.crt" ===== ===== cert: "/asgard/cert-heimdall.crt" ===== ----- profile: "/asgard/clientssl-heimdall" ----- virtual: "/asgard/vs-heimdall" ===== cert: "/jotunheim/loki-cert.crt" ===== ----- profile: "/jotunheim/clientssl-loki" ----- virtual: "/jotunheim/vs-loki"- Duncan_Proffitt
Thank you for all of that. So, on the GUI, I navigate to SSL Cert List There I drop down the partition drop-down and not only do I have Common, but I have two other partitions.
Lets call them red and green
Both Red and Green use Common partition/path certs as well as certs individual to their own partition.
You have very kindly helped me previously with the Common certs, and once again, you have scored another goal with this one liner!!
Thank you so much again!
- nitass_89166
very welcome. what you are asking makes sense. i was enjoying playing around with it and hope i can use it too!
- nitass
how would I get the details off a non-common partition?
i have another idea which uses icontrol rest and jq. since icontrol rest is not limited to single partition. all virtual servers and clientssl profiles should be recognized even it uses configuration object from another partition.
[root@bip1a:Active:In Sync] config for i in `curl -sk -u admin:admin https://localhost/mgmt/tm/sys/file/ssl-cert |jq '.items[]|{fullPath}' |awk '/fullPath/ {print $2}'`; do echo "===== cert: $i ====="; for j in `curl -sk -u admin:admin https://localhost/mgmt/tm/ltm/profile/client-ssl |jq ".items[]|select(.cert==$i)|{fullPath}" |awk '/fullPath/ {print $2}'`; do echo "----- profile: $j -----"; for k in `curl -sk -u admin:admin https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true |jq ".items[]|select(.profilesReference.items[].fullPath==$j)|{fullPath}" |awk '/fullPath/ {print $2}'`; do echo "virtual: $k"; echo ""; done; done; echo ""; done ===== cert: "/Common/ca-bundle.crt" ===== ===== cert: "/Common/cert-one.crt" ===== ----- profile: "/Common/clientssl-one" ----- virtual: "/Common/vs-one" ----- profile: "/jotunheim/clientssl-special" ----- virtual: "/jotunheim/vs-special" ===== cert: "/Common/default.crt" ===== ----- profile: "/Common/clientssl" ----- ----- profile: "/Common/clientssl-insecure-compatible" ----- ----- profile: "/Common/clientssl-secure" ----- ----- profile: "/Common/crypto-server-default-clientssl" ----- ----- profile: "/Common/wom-default-clientssl" ----- ===== cert: "/Common/f5-irule.crt" ===== ===== cert: "/asgard/cert-heimdall.crt" ===== ----- profile: "/asgard/clientssl-heimdall" ----- virtual: "/asgard/vs-heimdall" ===== cert: "/jotunheim/loki-cert.crt" ===== ----- profile: "/jotunheim/clientssl-loki" ----- virtual: "/jotunheim/vs-loki"- Duncan_Proffitt
Thank you for all of that. So, on the GUI, I navigate to SSL Cert List There I drop down the partition drop-down and not only do I have Common, but I have two other partitions.
Lets call them red and green
Both Red and Green use Common partition/path certs as well as certs individual to their own partition.
You have very kindly helped me previously with the Common certs, and once again, you have scored another goal with this one liner!!
Thank you so much again!
- nitass
very welcome. what you are asking makes sense. i was enjoying playing around with it and hope i can use it too!
