Forum Discussion
thagmann_128177
Nimbostratus
NimbostratusSSL Certificate Expiration
Guys,
2 Questions.
1.) What is the best way for me to monitor when my SSL Certs expire on the BIGIP? Is there an iControl Interface and/or SNMP MIB value that I could pull to grab this info?
2.) If I wish to try and see if specific counters like this exist where in the SDK should I start my search so I can start there to save you guys time? Knowing you guys you probably have a well put together index, just not sure where it is.
Thanks,
-Tom
8 Replies
- Tom,
I'm not sure about the MIB value (you'll have to dig through the MIB or contact Product Tech support to help out there). In the iControl interfaces, you can get the information in the Management::KeyCertificate interface (9.x) and the ITCMManagement::KeyCertificate interface (4.x). Here are the methods for 9.x:enum ManagementModeType { MANAGEMENT_MODE_DEFAULT = 0, MANAGEMENT_MODE_WEBSERVER = 1 }; struct CertificateDetail { Certificate cert_info; CertificateType cert_type; KeyType key_type; long bit_length; long version; String serial_number; String expiration_string; String expiration_date; X509Data subject; X509Data issuer; }; struct CertificateInformation { boolean is_bundled; string file_name; CertificateDetails certificate; }; CertificateInformation[] Management::KeyCertificate::get_certificate_list( in ManagementModeType mode );
I didn't dig into all the structures but this should get you going. You want to look at either the expiration_string or expiration_date values to get what you want. I believe the numeric version is the number of seconds since the epoch, which you can use to seed the common time functions.
As for specific counters, we really don't have a master list aside from the Tree Navigation in the SDK. If it is not intuitive where to find things then we would like to hear about it. In the case of Certificate Management, we've included them in the Management interface.
Let us know if this helps...
-Joe 
thagmann_128177Joe,
Ok, so this is probably a dumb question as I haven't had much chance to play with iControl, but how do I get to the tree view? Is it a Web Page you get once you decompress the SDK or is viewable in say Visual Studio if you are using .NET?
Thanks for the answers.
-tom- Just open the index.html or default.htm in the top level of the SDK and it will open the documentation in your browser. It's a two panel typical help format with a tree view in the left pane and contents in the right. Currently we don't have our help system integrated into IDEs.
I'd highly suggest you download the SDK and open up the documentation. That should help out a bunch in situations like this.
-Joe - thagmann_128177Trying to, but I keep having Browser/Plugin issues in getting it to play nice. I will play some more then.
Thanks for the help.
-t - It's a very basic java applet that we have tested with both Microsoft and Sun's JVM as well as with IE 5.x, 6.x with Win2k, XP, XP-SP2, etc.
I have noticed that after installing XP-SP2, IE asks me each time whether I want to run the applet or not, and after I acknowledge that I do it works fine.
What kind of issues are you seeing? We haven't had anyone report issues with the java applet before...
-Joe - Honestly, I haven't done much with ssl certs and the API's around them.
I'll have to dig around and try the methods out before I can offer a suggestion. Anyone else out there done this?
-Joe - Hi Stefan,
Joe may have access to the source, but I've honestly never seen it. We generally operate as you do, which is both a positive and negative stance. It means we're offering solutions based on the same knowledge/environment as you, but also means we can't just pop out to the source and check to see what we're doing.
Though like I said, Joe may well have access to the UI source.
Don. 
Antony_69599Stefan,
Would you be willing to share your source?
