Checking for Certificate Expiration at Configurable Intervals and Sending Emails

Are you wanting to send an alert when a client cert is about to expire or when a VIP's cert is about to expire?

 

 

If it's a server cert, that should be logged to /var/log/ltm as of 9.1.2, per CR59595:

 

 

 

https://tech.f5.com/home/bigip-next/releasenotes/relnotes9_1_2.htmlenhancement

 

 

Certificate monitoring for expired or soon-to-be-expired certificates (CR59595)

 

The system now includes certificate monitoring to detect expired or soon-to-be expired certificates. Certificate status is now logged in /var/log/ltm, using the following format:

 

 

Certificate X in file Y expired on DATE

 

 

Certificate X in file Y will expire on DATE

 

 

This feature provides compatibility with BIG-IP 4.6 in this regard.

 

 

 

 

If you want to send an alert for a client cert, you'd need to extract the expiry date and client's email from the SSL info and then log an entry to /var/log/ltm.

 

 

You could then set up syslog-ng to send an email when such a log event occurs.

 

 

I'm not sure sending an email would be possible in 4.x, but you might try posting in the 4.x iRule forum to get more info.

 

 

Aaron