Triggering SNMP traps for SSL Certificates
I've read a few different SOL articles and posts here on DevCentral on how to generate SNMP traps locally from the F5. We use Solarwinds for SNMP alert notification (not sure if that's relevant or not) Last week, I ran the command tmsh run sys crypto check-cert ignore-large-cert-bundles enabled command on a guest with one expiring certificate and that triggered an email. I have the email. It's real. I haven't generate that trap with that identical command on the same guest, or other guests. Here is the email and the output of /config/user_alert.conf file. [username@f5-guest:/S1-green-P:Standby:In Sync] ~ cat /config/user_alert.conf alert CERTIFICATE_EXPIRED "Certificate (.*) expired" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.300" alert CERTIFICATE_WILL_EXPIRE "Certificate (.*) will expire" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.301" }
Looking to pull report for all SSL Certificates with expiration dates.
All, I'm trying to see if there is a fast way to pull a report of all SSL certificates and their expiration dates on my Big IP device. I used the tmsh command cd /; run /sys crypto check-cert, but that only pulls expired certificates. Is there a better way than manually going through the GUI? Thanks.
What happens to the active connections when the SSL Cert is renewed
Hi, I had a query that what happens to the active connections when the SSL Cert is renewed. Will the active connected users will have an interruption of their session like drop or asked to open a new connection re-establishing the SSL handshake? Thanks
SSL certifcate status unknown for status monitoring.
While configuring SSL certificate monitoring feature, i get couple of certificate status as unknown (A blue dot) instead of good status (Green Dot). I have tried to run a pcap to check the response from ocsp , which is similar for both the certificates (good and unknown). Is this something i am missing in configuration.Renewing SAN certificate with existing key via CLI
I'm looking for a way to renew existing certificates that have SANs by using the existing key via command line. We have a requirement to use the existing key as we have had issues in the past by generating a new key every time. I've had a look at https://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438.html on how to create a new SAN certificate however it only seems to work when creating a new key and certificate. Currently we are only requesting certs via the internal CA which doesn't have support for SANs to be added on their end so it must be included in the request. The current script that we use for renewing certs with no SANs works fine on the F5 however certs with SANs can't be properly renewed. Any help would be much appriciated, I've had to look at ways to do it via tmsh or OpenSSL and there seems to be no suitable way around it.SSL logging impact on f5?
Hello Experts, I was just curious if there would be any impact on performance of f5 if we enabled SSL logging? I found out hot to do it but I don't want to mess up the entire infrastructure. Please let me know if it will slow the working performance of the f5, affect other VIPs configuration or any error/outage at all. https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html Thank you all, you are the best. R
