Forum Discussion

jlarger's avatar
Icon for Cirrus rankCirrus
Jun 15, 2023

Piping v15 EXPIRED_CERTIFICATE_IN_USE listing to text from CLI

Loving the expired certificate in use in the GUI. I'd love it even more if I could run that from the GUI for text output. Is that possible? 

5 Replies

  • jlarger 

    If you are referring to the self-signed SSL cert that is typically used for the F5 GUI then the following files are the ones used for the management GUI.


    Make sure you create a backup of those two files before you go replacing them and run the following command after you swap them out.

    tmsh restart sys service httpd

    The following article runs through it all as well as some other helpful information.

  • This article shows how to display all the application certificates, which includes expiration date

    K15462: Managing SSL certificates for BIG-IP systems using tmsh

    list sys crypto cert
    sys sys crypto cert example_2017.crt {
        cert-validation-options none
        certificate-key-size 2048
        city Seattle
        country US
        expiration Jan 21 20:52:46 2027 GMT
        organization MyCompany
        ou IT
        public-key-type RSA
        state WA

    From there you can get fancey with parsing the output and further highlighting which ones are expired.

    This article talks about how to do it with the api.

    F5 DevCentral:  check status of the ssl certificate on f5 using rest api

    curl -sku admin:admin https://bigip_hostname/mgmt/tm/sys/crypto/cert/ | jq '.items[] | {certname: .name, CertExpiry: .apiRawValues.expiration}'
    "certname": "/Common/abc_host_certJuly2022",
    "CertExpiry": "Jul 14 17:11:26 2021 GMT"



    • jlarger's avatar
      Icon for Cirrus rankCirrus

      I am familiar with list sys crypto cert. The key part of my quest is "in use". Those are the ones where we have to chase app owners to renew. 

      I can scrape the EXPIRED_CERTIFICATE_IN_USE page, but I'd rather deal with this with crontab and CLI commands to produce periodic text files.


      • Paulius's avatar
        Icon for MVP rankMVP

        jlarger If your intent is to alert someone about expiring or expired SSL certificates the following article might be what you are looking for.

        The only downside to the email sent out is you can't change the email on a per certificate basis so you would send these alerts to one location and then you would have to alert the app owner on your own unless you create some automation around specific URLs that would automatically send an alert out once you receive an email with a specific FQDN in the email.