This article shows how to display all the application certificates, which includes expiration date

K15462: Managing SSL certificates for BIG-IP systems using tmsh

https://my.f5.com/manage/s/article/K15462#9

list sys crypto cert

sys sys crypto cert example_2017.crt {
    cert-validation-options none
    cert-validators
    certificate-key-size 2048
    city Seattle
    common-name example.com
    country US
    email-address root@example.com
    expiration Jan 21 20:52:46 2027 GMT
    issuer emailAddress=root@exampleca.com,CN=exampleca.com,OU=IT,O=MyCompany,L=Seattle,ST=WA,C=US
    issuer-certificate
    organization MyCompany
    ou IT
    public-key-type RSA
    state WA
    subject-alternative-name
}

From there you can get fancey with parsing the output and further highlighting which ones are expired.

This article talks about how to do it with the api.

F5 DevCentral:  check status of the ssl certificate on f5 using rest api

https://community.f5.com/t5/technical-forum/check-status-of-the-ssl-certificate-on-f5-using-rest-api/m-p/301878

curl -sku admin:admin https://bigip_hostname/mgmt/tm/sys/crypto/cert/ | jq '.items[] | {certname: .name, CertExpiry: .apiRawValues.expiration}'
{
"certname": "/Common/abc_host_certJuly2022",
"CertExpiry": "Jul 14 17:11:26 2021 GMT"
}

 

 

jlarger 

If you are referring to the self-signed SSL cert that is typically used for the F5 GUI then the following files are the ones used for the management GUI.

/config/httpd/conf/ssl.crt/server.crt
/config/httpd/conf/ssl.key/server.key

Make sure you create a backup of those two files before you go replacing them and run the following command after you swap them out.

tmsh restart sys service httpd

The following article runs through it all as well as some other helpful information.

https://my.f5.com/manage/s/article/K42531434