Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

Piping v15 EXPIRED_CERTIFICATE_IN_USE listing to text from CLI


Loving the expired certificate in use in the GUI. I'd love it even more if I could run that from the GUI for text output. Is that possible? 




If you are referring to the self-signed SSL cert that is typically used for the F5 GUI then the following files are the ones used for the management GUI.


Make sure you create a backup of those two files before you go replacing them and run the following command after you swap them out.

tmsh restart sys service httpd

The following article runs through it all as well as some other helpful information.

F5 Employee
F5 Employee

This article shows how to display all the application certificates, which includes expiration date

K15462: Managing SSL certificates for BIG-IP systems using tmsh

list sys crypto cert

sys sys crypto cert example_2017.crt {
    cert-validation-options none
    certificate-key-size 2048
    city Seattle
    country US
    expiration Jan 21 20:52:46 2027 GMT
    organization MyCompany
    ou IT
    public-key-type RSA
    state WA

From there you can get fancey with parsing the output and further highlighting which ones are expired.

This article talks about how to do it with the api.

F5 DevCentral:  check status of the ssl certificate on f5 using rest api

curl -sku admin:admin https://bigip_hostname/mgmt/tm/sys/crypto/cert/ | jq '.items[] | {certname: .name, CertExpiry: .apiRawValues.expiration}'
"certname": "/Common/abc_host_certJuly2022",
"CertExpiry": "Jul 14 17:11:26 2021 GMT"



I am familiar with list sys crypto cert. The key part of my quest is "in use". Those are the ones where we have to chase app owners to renew. 

I can scrape the EXPIRED_CERTIFICATE_IN_USE page, but I'd rather deal with this with crontab and CLI commands to produce periodic text files.


@jlarger If your intent is to alert someone about expiring or expired SSL certificates the following article might be what you are looking for.

The only downside to the email sent out is you can't change the email on a per certificate basis so you would send these alerts to one location and then you would have to alert the app owner on your own unless you create some automation around specific URLs that would automatically send an alert out once you receive an email with a specific FQDN in the email.

I agree that is a very important detail.  I would then suggest looking into cleaning up th un-used certs, since they probably serve no purpose.

Paulis's response/article did find some other options with the crypto check-cert utility

K14318: Monitoring SSL certificate expiration on the BIG-IP system


I would also consider having some sort of syslog server, or SIEM like Splunk to alert whenever the expired cert logs appear.