For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

SSL Certificate Report

Problem this snippet solves:

This script creates a text report detailing all invalid or soon to expire certificates in /config/ssl/ssl.crt/ using openssl to write out the certificate attributes.

Code :

cli script certificatereport.tcl {
proc script::run {} {
        # Iterate through certs in files
        set hostname [exec {/bin/hostname}]
        set reportdate [exec {/bin/date}]

        puts "---------------------------------------------------------------------"
        puts "Certificate report for BIG-IP $hostname "
        puts "Report Date: $reportdate"
        puts "---------------------------------------------------------------------"
        puts "\n\n"

        set certcount 0
        set certproblems 0
        set certwarnings 0

        foreach file [glob -directory /config/ssl/ssl.crt/ *.crt] {
          incr certcount
          # Get Certificate Subject
          set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
          set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
          set stop  [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
          # Clean up bad X509 date fields removing multiple spaces before tokenizing them
          regsub -all -- {[[:space:]]+} $start " " start
          regsub -all -- {[[:space:]]+} $stop " " stop
          set startparts [split $start]
          set stopparts [split $stop]
          set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
          set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
          # Date Math
          if { $activatedseconds > 0 } {
              puts "File: $file"
              puts "\tCN: $cn certificate"
              puts "\tError: certificate is not valid yet.  It will be valid on $start."
              puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
              puts "---------------------------------------------------------------------"
              incr certproblems
          } elseif { $expiredseconds > 0 } {
              puts "File: $file"
              puts "\tCN: $cn certificate"
              puts "\tError: is not valid because it expired on $stop."
              puts "\tExpired: [expr {$expiredseconds / 86400}] days ago."
              puts "---------------------------------------------------------------------"
              incr certproblems
         } elseif { [expr {$expiredseconds * -1}] < 2629743 } {
              # All certs that will expire within this month
              puts "File: $file"
              puts "\tCN: $cn certificate"
              puts "\tError: is not valid because it expired on $stop."
              puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days."
              puts "---------------------------------------------------------------------"
              incr certwarnings
          }
        }
        puts "\n"
        puts "$certcount Certificates Found"
        puts "$certproblems Certificate Errors Found"
        puts "$certwarnings Certificate Warnings Found"
   }
}
Published Mar 10, 2015
Version 1.0
application delivery
TMSH

23 Comments

Show More
  • Sumit_Kumar_Dub's avatar
    Sumit_Kumar_Dub
    Icon for Nimbostratus rankNimbostratus
    Jun 24, 2019

    In addition to above comment-

     

    I am able to save the output to /var/tmp/cert-output.txt

    But i need to execute the script automatically every month and get the report through an email. How can we achieve this?

  • Sumit_Kumar_Dub's avatar
    Sumit_Kumar_Dub
    Icon for Nimbostratus rankNimbostratus
    Jun 25, 2019

    Hi All,

     

    I need help to configure cron job to run below two commands on hourly basis. Could you please help me with the steps:

     

    tmsh run cli script certificatereports.tcl > /var/tmp/cert-outputs.txt

    echo "Message Body Here" | mailx -s "Subject Here" -a cert-outputs.txt name@domain.com

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for Noctilucent rankNoctilucent
    Jun 26, 2019

    Hi Sumit,

     

    Apologies on the late reply, Good to know that you already have smtp set.

    The next easy step is to put a small script with any mail agent (sendmail or mail or mailx) and have that script run on cron for every month.

     

    Goto /var/tmp/ and create a file as automatecertificatereports.sh.

    Add the below code inside the automatecertificatereports.sh file.

    #!/bin/sh
tmsh run cli script certificatereports.tcl > /var/tmp/cert-outputs.txt
 
from="abc@domain.com"
to="abc@domain.com,pqr@domain.com,xyz@domain.com"
subject="Automated SSL Certificate Report"
 
mail -s "$subject" -r "$from" -a "/var/tmp/cert-outputs.txt" "$to" << EOF
Hi Team,
 
Please find the attached SSL Certificate Report.
 
Thanks & Regards,
abc@domain.com
 
EOF

    Change the permission to executable one.

    chmod +x automatecertificatereports.sh

    Now goto your crontab & do a list first to see the existing cron jobs running.

     

    crontab -l

    You should see some couple of disk monitors check etc etc.

     

    Always put some good comments before you make an entry of your cronjob, Use crontab -e to edit/add your entries.

    crontab -e

    Goto the of the section and the below 2 lines,

     

    ## Section for Automated SSL Certificate Report - Monthly Cron - Start of month - 6 O'clk ##
0 6 1 * * /usr/bin/bash /var/tmp/automatecertificatereports.sh

    You can edit this cron value according to your need. For testing, try running this for every day 1 AM report - 0 1 * * *

    Hope this helps. Let us know if you have more concerns.