F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

SSL Certificate Report

Problem this snippet solves: This script creates a text report detailing all invalid or soon to expire certificates in /config/ssl/ssl.crt/ using openssl to write out the certificate attributes. Co...
Published Mar 10, 2015
Version 1.0
application delivery
TMSH
jaikumar_f5's avatar
jaikumar_f5
Icon for Noctilucent rankNoctilucent
Nov 06, 2018

Hi Mohammed,

This is a cli script, when you execute the above shared script, it will not save the output in the /var/log/ path. The output will be in console itself. 

:Active:In Sync] ~  tmsh run cli script certificatereport.tcl
---------------------------------------------------------------------
Certificate report for BIG-IP hostname.company.com
Report Date: Tue Nov  6 15:16:32 GMT 2018
---------------------------------------------------------------------

File: /config/filestore/files_d/Common_d/certificate_d/:Common:application_name.crt
        CN: abc.com certificate
        Error: is not valid because it expired on Oct 3 13:30:09 2018 GMT.
        Expired: 10 days ago.
---------------------------------------------------------------------

If you require the output to be saved in the /var/ path, it requires modification. I will explain step-by-step of this existing sript, It will look something like below,

Please follow the below steps to create the script,

1st step is to create cli script, inside the tmsh, run the create cli script command,

(Active)(/Common)(tmos) create cli script certificatereport.tcl

Once you hit enter, you'll see something like below - these are default 4 procedures,

create script certificatereport.tcl {

proc script::init {} {
}

proc script::run {} {
}

proc script::help {} {
}

proc script::tabc {} {
}

}

Since we have the script already, just delete all the lines, once you delete, it will be something like below,

create script certificatereport.tcl {
}

Now paste the code, so the final script will look something like below,

create script certificatereport.tcl {
proc script::run {} {
     Iterate through certs in files
    set hostname [exec {/bin/hostname}]
    set reportdate [exec {/bin/date}]

    puts "---------------------------------------------------------------------"
    puts "Certificate report for BIG-IP $hostname "
    puts "Report Date: $reportdate"
    puts "---------------------------------------------------------------------"
    puts "\n\n"

    set certcount 0
    set certproblems 0
    set certwarnings 0

    foreach file [glob -directory /config/filestore/files_d/Common_d/certificate_d/ *.crt_*] {
        incr certcount
         Get Certificate Subject
        set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
        set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
        set stop  [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
         Clean up bad X509 date fields removing multiple spaces before tokenizing them
        regsub -all -- {[[:space:]]+} $start " " start
        regsub -all -- {[[:space:]]+} $stop " " stop
        set startparts [split $start]
        set stopparts [split $stop]
        set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
        set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
         Date Math
        if { $activatedseconds > 0 } {
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: certificate is not valid yet.  It will be valid on $start."
            puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
            puts "---------------------------------------------------------------------"
            incr certproblems
        } elseif { $expiredseconds > 0 } {
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: is not valid because it expired on $stop."
            puts "\tExpired: [expr {$expiredseconds / 86400}] days ago."
            puts "---------------------------------------------------------------------"
            incr certproblems
        } elseif { [expr {$expiredseconds * -1}] < 2629743 } {
             All certs that will expire within this month
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: is not valid because it expired on $stop."
            puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days."
            puts "---------------------------------------------------------------------"
            incr certwarnings
        }
    }
    puts "\n"
    puts "$certcount Certificates Found"
    puts "$certproblems Certificate Errors Found"
    puts "$certwarnings Certificate Warnings Found"
}
}

Press esc, save and quit.

Finally run your script,

:Active:In Sync] ~  tmsh run cli script certificatereport.tcl
---------------------------------------------------------------------
Certificate report for BIG-IP hostname.company.com
Report Date: Tue Nov  6 15:16:32 GMT 2018
---------------------------------------------------------------------

File: /config/filestore/files_d/Common_d/certificate_d/:Common:application_name.crt
        CN: abc.com certificate
        Error: is not valid because it expired on Oct 3 13:30:09 2018 GMT.
        Expired: 10 days ago.
---------------------------------------------------------------------