Forum Discussion
Piping v15 EXPIRED_CERTIFICATE_IN_USE listing to text from CLI
This article shows how to display all the application certificates, which includes expiration date
K15462: Managing SSL certificates for BIG-IP systems using tmsh
https://my.f5.com/manage/s/article/K15462#9
list sys crypto cert
sys sys crypto cert example_2017.crt {
cert-validation-options none
cert-validators
certificate-key-size 2048
city Seattle
common-name example.com
country US
email-address root@example.com
expiration Jan 21 20:52:46 2027 GMT
issuer emailAddress=root@exampleca.com,CN=exampleca.com,OU=IT,O=MyCompany,L=Seattle,ST=WA,C=US
issuer-certificate
organization MyCompany
ou IT
public-key-type RSA
state WA
subject-alternative-name
}
From there you can get fancey with parsing the output and further highlighting which ones are expired.
This article talks about how to do it with the api.
F5 DevCentral: check status of the ssl certificate on f5 using rest api
curl -sku admin:admin https://bigip_hostname/mgmt/tm/sys/crypto/cert/ | jq '.items[] | {certname: .name, CertExpiry: .apiRawValues.expiration}'
{
"certname": "/Common/abc_host_certJuly2022",
"CertExpiry": "Jul 14 17:11:26 2021 GMT"
}
I am familiar with list sys crypto cert. The key part of my quest is "in use". Those are the ones where we have to chase app owners to renew.
I can scrape the EXPIRED_CERTIFICATE_IN_USE page, but I'd rather deal with this with crontab and CLI commands to produce periodic text files.
- PauliusJun 16, 2023MVP
jlarger If your intent is to alert someone about expiring or expired SSL certificates the following article might be what you are looking for.
https://my.f5.com/manage/s/article/K15288
The only downside to the email sent out is you can't change the email on a per certificate basis so you would send these alerts to one location and then you would have to alert the app owner on your own unless you create some automation around specific URLs that would automatically send an alert out once you receive an email with a specific FQDN in the email.
- Ben_NovakJun 16, 2023Employee
I agree that is a very important detail. I would then suggest looking into cleaning up th un-used certs, since they probably serve no purpose.
Paulis's response/article did find some other options with the crypto check-cert utility
K14318: Monitoring SSL certificate expiration on the BIG-IP system
https://my.f5.com/manage/s/article/K14318
I would also consider having some sort of syslog server, or SIEM like Splunk to alert whenever the expired cert logs appear.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com