Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

SSL Certificate Report

Problem this snippet solves:

This script creates a text report detailing all invalid or soon to expire certificates in /config/ssl/ssl.crt/ using openssl to write out the certificate attributes.

Comments on this Snippet
Comment made 18-Jul-2017 by jaikumar_f5 1536

I am getting the below error for v11.x version. The cert path had been changed to certificate_d/

certificatereport.tcl: script failed to complete:
can't eval proc: "script::run"
unable to convert date-time string "Jul , 16:06:24"
    while executing
"clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]""
    (procedure "script::run" line 23)
    invoked from within
"script::run" line:1
script did not successfully complete, status:1
Comment made 22-Sep-2017 by Jason Adams

I updated the script to:

1 - Enclose all 'exec' command statements in curly braces. 2 - Resolve the formatting of the regsub commands:


      regsub -all -- {[['''space''']]+} $start " " start
      regsub -all -- {[['''space''']]+} $stop " " stop


      regsub -all -- {[[:space:]]+} $start " " start
      regsub -all -- {[[:space:]]+} $stop " " stop

I suspect this occurred during a DevCentral update at some point, so hope this is still helpful.

NOTE: There is a built-in command for this as well:

tmsh run sys crypto check-cert { log enabled stdout enabled verbose enabled }

For help on the command:

tmsh help sys crypto check-cert
Comment made 24-Sep-2017 by jaikumar_f5 1536

Works like charm now. Thank you. I had to remove the total-signing-status not-all-signed from the script to make it work. It was throwing with errors.

Syntax Error: "total-signing-status" read-only property

But its weird it got auto added post I saved.

:Active:In Sync] # tmsh list cli script certificatereport.tcl
cli script certificatereport.tcl {
proc script::run {} {
    # Iterate through certs in files
    set hostname [exec {/bin/hostname}]
    set reportdate [exec {/bin/date}]

    puts "---------------------------------------------------------------------"
    puts "Certificate report for BIG-IP $hostname "
    puts "Report Date: $reportdate"
    puts "---------------------------------------------------------------------"
    puts "\n\n"

    set certcount 0
    set certproblems 0
    set certwarnings 0

    foreach file [glob -directory /config/filestore/files_d/Common_d/certificate_d/ *.crt_*] {
        incr certcount
        # Get Certificate Subject
        set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
        set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
        set stop  [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
        # Clean up bad X509 date fields removing multiple spaces before tokenizing them
        regsub -all -- {[[:space:]]+} $start " " start
        regsub -all -- {[[:space:]]+} $stop " " stop
        set startparts [split $start]
        set stopparts [split $stop]
        set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
        set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
        # Date Math
        if { $activatedseconds > 0 } {
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: certificate is not valid yet.  It will be valid on $start."
            puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
            puts "---------------------------------------------------------------------"
            incr certproblems
        } elseif { $expiredseconds > 0 } {
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: is not valid because it expired on $stop."
            puts "\tExpired: [expr {$expiredseconds / 86400}] days ago."
            puts "---------------------------------------------------------------------"
            incr certproblems
        } elseif { [expr {$expiredseconds * -1}] < 2629743 } {
            # All certs that will expire within this month
            puts "File: $file"
            puts "\tCN: $cn certificate"
            puts "\tError: is not valid because it expired on $stop."
            puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days."
            puts "---------------------------------------------------------------------"
            incr certwarnings
    puts "\n"
    puts "$certcount Certificates Found"
    puts "$certproblems Certificate Errors Found"
    puts "$certwarnings Certificate Warnings Found"
    total-signing-status not-all-signed