Forum Discussion

Jogen_Doshi_453's avatar
Jogen_Doshi_453
Icon for Nimbostratus rankNimbostratus
Aug 20, 2014

SSL Certificate Expiration Dates

We are using a BIG-IP LTM 3900 version 11.3.0, when trying to check for SSL CA certificates about to expire under System-->File Management-->SSL Certificate list. I get 2 different dates for expiry of one certificate & key pair. I am seeing the correct date under the Expiration column but when I click on the certificate the properties page that opens gives me a past date against the Expires section.

 

Can someone please help.

 

2 Replies

  • it looks correct here.

    e.g.

     config
    
    [root@ve11a:Active:In Sync] config  tmsh list ltm virtual bar
    ltm virtual bar {
        destination 172.28.24.10:443
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            myclientssl {
                context clientside
            }
            tcp { }
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vs-index 65
    }
    [root@ve11a:Active:In Sync] config  tmsh list ltm profile client-ssl myclientssl
    ltm profile client-ssl myclientssl {
        app-service none
        cert-key-chain {
            server {
                cert server.crt
                chain chain.crt
                key server.key
            }
        }
        defaults-from clientssl
    }
    [root@ve11a:Active:In Sync] config  tmsh list sys file ssl-cert server.crt
    sys file ssl-cert server.crt {
        certificate-key-size 4096
        checksum SHA1:7112:924b5aee7e062690ab1adbae6d9243dcbd841ec9
        create-time 2014-08-20:03:25:18
        created-by root
        expiration-date 1440066230
        expiration-string "Aug 20 10:23:50 2015 GMT"
        issuer CN=ca2013.acme.com,OU=Support,O=Acme,ST=WA,C=US
        key-type rsa-public
        last-update-time 2014-08-20:03:25:18
        mode 33188
        revision 1
        serial-number 3
        size 7112
        subject CN=server.acme.com,OU=IT,O=Acme,ST=WA,C=US
        updated-by root
        version 3
    }
    
     test
    
    [root@ve11a:Active:In Sync] config  echo | openssl s_client -connect 172.28.24.10:443 2> /dev/null | openssl x509 -noout -dates
    notBefore=Aug 20 10:23:50 2014 GMT
    notAfter=Aug 20 10:23:50 2015 GMT
    
  • is it a huge difference or just a rounding issue?

     

    anyway this feels something to report to F5 support, might be a known bug or such.