SSL Certificate Report

Problem this snippet solves: This script creates a text report detailing all invalid or soon to expire certificates in /config/ssl/ssl.crt/ using openssl to write out the certificate attributes. Co...
Published Mar 10, 2015
Version 1.0
application delivery
TMSH
jaikumar_f5's avatar
jaikumar_f5
Icon for MVP rankMVP
Sep 25, 2017

Works like charm now. Thank you. I had to remove the total-signing-status not-all-signed from the script to make it work. It was throwing with errors.

Syntax Error: "total-signing-status" read-only property

But its weird it got auto added post I saved.

:Active:In Sync]  tmsh list cli script certificatereport.tcl
cli script certificatereport.tcl {
proc script::run {} {
     Iterate through certs in files
    set hostname [exec {/bin/hostname}]
    set reportdate [exec {/bin/date}]

    puts "---------------------------------------------------------------------"
    puts "Certificate report for BIG-IP $hostname "
    puts "Report Date: $reportdate"
    puts "---------------------------------------------------------------------"
    puts "\n\n"

    set certcount 0
    set certproblems 0
    set certwarnings 0

    foreach file [glob -directory /config/filestore/files_d/Common_d/certificate_d/ *.crt_*] {
        incr certcount
         Get Certificate Subject
        set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
        set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
        set stop  [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
         Clean up bad X509 date fields removing multiple spaces before tokenizing them
        regsub -all -- {[[:space:]]+} $start " " start
        regsub -all -- {[[:space:]]+} $stop " " stop
        set startparts [split $start]
        set stopparts [split $stop]
        set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
        set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
         Date Math
        if { $activatedseconds > 0 } {
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: certificate is not valid yet.  It will be valid on $start."
            puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
            puts "---------------------------------------------------------------------"
            incr certproblems
        } elseif { $expiredseconds > 0 } {
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: is not valid because it expired on $stop."
            puts "\tExpired: [expr {$expiredseconds / 86400}] days ago."
            puts "---------------------------------------------------------------------"
            incr certproblems
        } elseif { [expr {$expiredseconds * -1}] < 2629743 } {
             All certs that will expire within this month
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: is not valid because it expired on $stop."
            puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days."
            puts "---------------------------------------------------------------------"
            incr certwarnings
        }
    }
    puts "\n"
    puts "$certcount Certificates Found"
    puts "$certproblems Certificate Errors Found"
    puts "$certwarnings Certificate Warnings Found"
}
    total-signing-status not-all-signed
}