In LTM 11.5.3 ; how can we capture all ssl cert list along with their expiry date via CLI.

tmsh list sys file ssl-cert all Above command will diplay all the SSL certs which are installed in your system with all the details. If you are looking for only expiration dates, try below command. tmsh list sys file ssl-cert expiration-string Hope this helps. -Jinshu

You will need to write a script that extracts the cert names (hint: use grep), and then runs the appropriate openssl command (maybe again in combination with grep), to extract the expiry date. As far as I am aware there will be no easy way to do it in TMSH. But may be worth checking out contextual help (? or Tab completion), to see if the option is there. Personally I doubt it is there.

Would you be able to use the command: run /sys crypto check-cert but add a few greps ? something like | grep 'will expire' ? I tried that and it didn't work for me. Any thoughts ?

(tmos)list sys file ssl-cert expiration-string

ssl cert list via CLI

Jinshu
Cirrus
Nov 08, 2016
tmsh list sys file ssl-cert all

Above command will diplay all the SSL certs which are installed in your system with all the details.

If you are looking for only expiration dates, try below command.

tmsh list sys file ssl-cert expiration-string

Hope this helps.

-Jinshu
a_rosier_147081
Historic F5 Account
Nov 08, 2016
You will need to write a script that extracts the cert names (hint: use grep), and then runs the appropriate openssl command (maybe again in combination with grep), to extract the expiry date. As far as I am aware there will be no easy way to do it in TMSH. But may be worth checking out contextual help (? or Tab completion), to see if the option is there. Personally I doubt it is there.

Kevin_K_51432

Historic F5 Account

Nov 08, 2016

One other possibility. I created a 29, 30 and 31 day valid SSL certificate. It seems this command reports SSL certs that have 30 days to expiration:

tmsh run /sys crypto check-cert
CN=example.com,OU=one,O=one,L=one,ST=WA,C=us in file /Common/test2.crt will expire on Dec  6 22:05:11 2016 GMT
CN=example.com,OU=one,O=one,L=one,ST=WA,C=us in file /Common/test3.crt will expire on Dec  8 22:07:47 2016 GMT

psxg_345884
Nimbostratus
Jan 12, 2018
Would you be able to use the command:

run /sys crypto check-cert

but add a few greps ? something like | grep 'will expire' ? I tried that and it didn't work for me.

Any thoughts ?
atulanand5_2917
Nimbostratus
Jul 27, 2018
(tmos)list sys file ssl-cert expiration-string
firstmode
Nimbostratus
Jan 05, 2021
run sys crypto check-cert verbose enabled
list sys crypto cert all
list sys file ssl-cert all-properties

Device Service Clustering (DSC): The BIG-IP system uses SSL certificates to establish a trust relationship between devices. In a device trust, a BIG-IP device can act as a certificate signing authority or a subordinate non-authority.
/config/ssl/ssl.crt/dtdi.crt Device Management > Device Trust > Identity The dtdi.crt is the identity certificate that is used by a device to validate its identity with another device.
/config/ssl/ssl.crt/dtca.crt Device Management > Device Trust > Local Domain The dtca.crt is the CA root certificate for the trust network.

Configuration utility: Device certificates: The BIG-IP system uses the device certificates for HTTPS connections to the Configuration utility and device-to-device communication processes.
/config/httpd/conf/ssl.crt/server.crt BIG-IP 13.0.0 and later: System > Certificate Management > Device Certificate Management > Device Certificate BIG-IP versions prior to 13.0.0: System > Device Certificates > Device Certificate The server.crt is a certificate used for HTTPS connections to the Configuration utility and device-to-device communication processes.

Trusted device certificates: The local BIG-IP device uses trusted device certificates to authenticate certain connections from a remote BIG-IP device. For example, the big3d agent of the local BIG-IP DNS or BIG-IP LTM system uses the trusted device certificate obtained from a remote F5 device to authenticate the remote device's gtmd or iqdump requests.
/config/big3d/client.crt BIG-IP 13.0.0 and later: System > Certificate Management > Device Certificate Management > Device Trust Certificates BIG-IP versions prior to 13.0.0: System > Device Certificates > Trusted Device Certificates The local BIG-IP device uses the trusted device certificates to authenticate certain connections from a remote BIG-IP device.

Trusted server certificates: The BIG-IP GTM system uses trusted server certificates when the local BIG-IP DNS system authenticates itself to a remote F5 device. For example, the local BIG-IP DNS system uses the trusted server certificate when the BIG-IP DNS system's gtmd process or iqdump program attempts to connect to the big3d process on a remote F5 device.
/config/gtm/server.crt BIG-IP 11.5.0 and later: DNS > GSLB > Servers > Trusted Server Certificates BIG-IP versions prior to 11.5.0: Global Traffic > Servers The trusted server certificates are used when the local GTM system authenticates itself to a remote F5 device.

Client SSL profile:
https://devcentral.f5.com/s/question/0D51T00006i7kIi/identify-which-virtual-servers-are-using-a-specific-ssl-certificate
certificate /config/filestore/files_d/<partition>_d/certificate_d/ /config/filestore/files_d/Common_d/certificate_d/

Forum Discussion

ssl cert list via CLI

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

SSL-Cert

SSL Cert expiration Tracker

LTM HA Pair SSL Certs

extract LTM VS ssl profile binding cert and key information to generate a json with python f5-sdk

python f5 sdk - vip, ssl profile and ssl cert extract

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS