Piping v15 EXPIRED_CERTIFICATE_IN_USE listing to text from CLI

jlarger · ‎15-Jun-2023

Loving the expired certificate in use in the GUI. I'd love it even more if I could run that from the GUI for text output. Is that possible?

Paulius · ‎15-Jun-2023

@jlarger

If you are referring to the self-signed SSL cert that is typically used for the F5 GUI then the following files are the ones used for the management GUI.

/config/httpd/conf/ssl.crt/server.crt
/config/httpd/conf/ssl.key/server.key

Make sure you create a backup of those two files before you go replacing them and run the following command after you swap them out.

tmsh restart sys service httpd

The following article runs through it all as well as some other helpful information.

https://my.f5.com/manage/s/article/K42531434

Ben_Novak · ‎15-Jun-2023

This article shows how to display all the application certificates, which includes expiration date

K15462: Managing SSL certificates for BIG-IP systems using tmsh

https://my.f5.com/manage/s/article/K15462#9

list sys crypto cert

sys sys crypto cert example_2017.crt {
    cert-validation-options none
    cert-validators
    certificate-key-size 2048
    city Seattle
    common-name example.com
    country US
    email-address root@example.com
    expiration Jan 21 20:52:46 2027 GMT
    issuer emailAddress=root@exampleca.com,CN=exampleca.com,OU=IT,O=MyCompany,L=Seattle,ST=WA,C=US
    issuer-certificate
    organization MyCompany
    ou IT
    public-key-type RSA
    state WA
    subject-alternative-name
}

From there you can get fancey with parsing the output and further highlighting which ones are expired.

This article talks about how to do it with the api.

F5 DevCentral: check status of the ssl certificate on f5 using rest api

https://community.f5.com/t5/technical-forum/check-status-of-the-ssl-certificate-on-f5-using-rest-api...

curl -sku admin:admin https://bigip_hostname/mgmt/tm/sys/crypto/cert/ | jq '.items[] | {certname: .name, CertExpiry: .apiRawValues.expiration}'
{
"certname": "/Common/abc_host_certJuly2022",
"CertExpiry": "Jul 14 17:11:26 2021 GMT"
}

jlarger · ‎16-Jun-2023

I am familiar with list sys crypto cert. The key part of my quest is "in use". Those are the ones where we have to chase app owners to renew.

I can scrape the EXPIRED_CERTIFICATE_IN_USE page, but I'd rather deal with this with crontab and CLI commands to produce periodic text files.

Paulius · ‎16-Jun-2023

@jlarger If your intent is to alert someone about expiring or expired SSL certificates the following article might be what you are looking for.

https://my.f5.com/manage/s/article/K15288

The only downside to the email sent out is you can't change the email on a per certificate basis so you would send these alerts to one location and then you would have to alert the app owner on your own unless you create some automation around specific URLs that would automatically send an alert out once you receive an email with a specific FQDN in the email.

Ben_Novak · ‎16-Jun-2023

I agree that is a very important detail. I would then suggest looking into cleaning up th un-used certs, since they probably serve no purpose.

Paulis's response/article did find some other options with the crypto check-cert utility

K14318: Monitoring SSL certificate expiration on the BIG-IP system

https://my.f5.com/manage/s/article/K14318

I would also consider having some sort of syslog server, or SIEM like Splunk to alert whenever the expired cert logs appear.

DevCentral

Piping v15 EXPIRED_CERTIFICATE_IN_USE listing to text from CLI

K15462: Managing SSL certificates for BIG-IP systems using tmsh

K14318: Monitoring SSL certificate expiration on the BIG-IP system

MFA required on DevCentral