Forum Discussion

jlarger's avatar
jlarger
Icon for Cirrus rankCirrus
Jun 15, 2023

Piping v15 EXPIRED_CERTIFICATE_IN_USE listing to text from CLI

Loving the expired certificate in use in the GUI. I'd love it even more if I could run that from the GUI for text output. Is that possible? 
application delivery
Expired certificate in use
Ben_Novak's avatar
Ben_Novak
Icon for Employee rankEmployee
Jun 15, 2023

This article shows how to display all the application certificates, which includes expiration date

K15462: Managing SSL certificates for BIG-IP systems using tmsh

https://my.f5.com/manage/s/article/K15462#9

list sys crypto cert

sys sys crypto cert example_2017.crt {
    cert-validation-options none
    cert-validators
    certificate-key-size 2048
    city Seattle
    common-name example.com
    country US
    email-address root@example.com
    expiration Jan 21 20:52:46 2027 GMT
    issuer emailAddress=root@exampleca.com,CN=exampleca.com,OU=IT,O=MyCompany,L=Seattle,ST=WA,C=US
    issuer-certificate
    organization MyCompany
    ou IT
    public-key-type RSA
    state WA
    subject-alternative-name
}

From there you can get fancey with parsing the output and further highlighting which ones are expired.


This article talks about how to do it with the api.

F5 DevCentral:  check status of the ssl certificate on f5 using rest api

https://community.f5.com/t5/technical-forum/check-status-of-the-ssl-certificate-on-f5-using-rest-api/m-p/301878

curl -sku admin:admin https://bigip_hostname/mgmt/tm/sys/crypto/cert/ | jq '.items[] | {certname: .name, CertExpiry: .apiRawValues.expiration}'
{
"certname": "/Common/abc_host_certJuly2022",
"CertExpiry": "Jul 14 17:11:26 2021 GMT"
}

 

 

  • jlarger's avatar
    jlarger
    Icon for Cirrus rankCirrus
    Jun 16, 2023

    I am familiar with list sys crypto cert. The key part of my quest is "in use". Those are the ones where we have to chase app owners to renew. 

    I can scrape the EXPIRED_CERTIFICATE_IN_USE page, but I'd rather deal with this with crontab and CLI commands to produce periodic text files.

     

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP
      Jun 16, 2023

      jlarger If your intent is to alert someone about expiring or expired SSL certificates the following article might be what you are looking for.

      https://my.f5.com/manage/s/article/K15288

      The only downside to the email sent out is you can't change the email on a per certificate basis so you would send these alerts to one location and then you would have to alert the app owner on your own unless you create some automation around specific URLs that would automatically send an alert out once you receive an email with a specific FQDN in the email.

    • Ben_Novak's avatar
      Ben_Novak
      Icon for Employee rankEmployee
      Jun 16, 2023

      I agree that is a very important detail.  I would then suggest looking into cleaning up th un-used certs, since they probably serve no purpose.

      Paulis's response/article did find some other options with the crypto check-cert utility

      K14318: Monitoring SSL certificate expiration on the BIG-IP system

      https://my.f5.com/manage/s/article/K14318

       

      I would also consider having some sort of syslog server, or SIEM like Splunk to alert whenever the expired cert logs appear.