Thumbprint of the client ssl certificate

Nandhi · ‎16-Jun-2023

Hello Everyone, is there any bash or tmsh command to get thumbprint value of the big-ip client ssl certificate? Thanks

Paulius · ‎19-Jun-2023

@Nandhi It is important to know if you would like to know these fingerprints for the GUI SSL cert of the Client SSL Profile because they are in different directories. Without knowing which the following are the two different paths assuming you are using the default partition on it as well. You can find those by logging into the CLI of the F5, then into the linux shell by typing "bash", and finally going to the following path and running the command below that.

*** Client SSL Profile directory ***
/config/filestore/files_d/Common_D/certificate_d/
*** F5 GUI SSL Cert directory ***
/config/httpd/conf/ssl.crt/

*** Client SSL Profile ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:example.com
openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:example.com
*** F5 GUI SSL ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in server.crt
openssl x509 -noout -fingerprint -sha1 -inform -pem -in server.crt

View solution in original post

Paulius · ‎16-Jun-2023

@Nandhi Are you referring to a cert in a client ssl profile or the SSL cert and key that are used for the GUI? This existing post might assist you.

https://community.f5.com/t5/technical-forum/piping-v15-expired-certificate-in-use-listing-to-text-fr...

Nandhi · ‎18-Jun-2023

Thanks for the reply Paulius. Its for client ssl cert only. I wish to check both Sha1 and Sha256 thumbprint value of client ssl cert (Signed by cert authority) in Big-ip cli.

Thanks.

Paulius · ‎19-Jun-2023

@Nandhi It is important to know if you would like to know these fingerprints for the GUI SSL cert of the Client SSL Profile because they are in different directories. Without knowing which the following are the two different paths assuming you are using the default partition on it as well. You can find those by logging into the CLI of the F5, then into the linux shell by typing "bash", and finally going to the following path and running the command below that.

*** Client SSL Profile directory ***
/config/filestore/files_d/Common_D/certificate_d/
*** F5 GUI SSL Cert directory ***
/config/httpd/conf/ssl.crt/

*** Client SSL Profile ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:example.com
openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:example.com
*** F5 GUI SSL ***
openssl x509 -noout -fingerprint -sha256 -inform -pem -in server.crt
openssl x509 -noout -fingerprint -sha1 -inform -pem -in server.crt

Nandhi · ‎20-Jun-2023

Thanks Paulius.

After openup the directory and running the command for client ssl, getting below error.

-bad input format specified for Certificate

Unable to load certificate-.

I checked for GUI SSL cert too but same error. I am running with 14.1.5 series version.

Command:

/config/filestore/files_d/Common_D/certificate_d/

openssl x509 -noout -fingerprint -sha256 -inform -pem -in \:Common\:<cert_Name>
openssl x509 -noout -fingerprint -sha1 -inform -pem -in \:Common\:<cert_Name>

Wondering is this firmware issue or anything I missed here.

Paulius · ‎20-Jun-2023

@Nandhi The error that you're receiving seems more of an issue with the format of the file you are referencing rather than the command just not working. Would you mind running the following command so we can see what version of openssl that you have?

rpm -qa | grep openssl

Nandhi · ‎20-Jun-2023

Thanks @Paulius. Got the solution. The certificates are not in pem format. So I just removed -inform -pem then got the fingerprint of both sha1 and sha256.

The commands are :

openssl x509 -noout -fingerprint -sha256 -in :Common:<cert_Name>
openssl x509 -noout -fingerprint -sha1 -in :Common:<cert_Name>

Thanks to get into this.

DevCentral

Thumbprint of the client ssl certificate

MFA required on DevCentral