Identify and cleanse expired and soon to expire certs from BIG-IP

Problem this snippet solves: Identify Expired and Soon to Expire Certs (including their use on a virtual, client-ssl profile) If desired, script can delete client-ssl profile, cert/key for expired...
Published Jul 29, 2018
Version 1.0
application delivery
devops
iControlREST
LTM
Naumin_Dave_144's avatar
Naumin_Dave_144
Icon for Nimbostratus rankNimbostratus
Feb 12, 2019

"so what you are proposing is that when the script encounters a profile that is associated with an expired cert AND the virtual server has a server SSL profile, it would remove both the clientssl and serverssl profile and the hope would be that clients who connect would accept whatever cert the back-end server is offering?"

 

Yes, We want this, however it is ok to not remove them/untag them from VS config via script but atleast can get those names when use "--reportonly".

 

"I'm curious; how did your BIG-IP get to a state where there are numerous clientssl profiles that point to expired certs?"

 

I know it sound weird but sadly answer is Yes, we have many VSs who are UP and using expired cert profiles. Seems like those are not used by app teams. Ideally those VSs should be decommissioned but instead of following up with individuals for decommission those VIPs, we want to silently removing SSL offloading from LB side so that there applications will work as it was working before this activity.