Checking SHA1 cert on BIG IP LTM Ver 10.2

Hi!

What Kevin is suggesting in that thread is to create a bash script with the following content:

!/bin/bash

for c in `ls --format single-column /config/filestore/files_d/Common_d/certificate_d/`;
do
    arr=($(openssl x509 -noout -text -in /config/filestore/files_d/Common_d/certificate_d/${c} |grep -E "sha1"))

    if [ -n "${arr[2]}" ]
    then
        echo ${c}
    fi

done
`

Judging by the date of the thread I'd guess the person is running v11 and the script is most likely not entirely valid for you as the certificate folder was /config/ssl.crt in v10.

I don't have a v10 machine to test this myself but this should work:

`!/bin/bash

for c in `ls --format single-column /config/ssl/ssl.crt/`;
do
    arr=($(openssl x509 -noout -text -in /config/ssl/ssl.crt${c} |grep -E "sha1"))

    if [ -n "${arr[2]}" ]
    then
        echo ${c}
    fi

done

To use it:

1. Logon to the F5 advanced shell (ssh)
2. Enter

   nano

3. Paste the content of the script above
4. Exit by issuing

   CTRL+X

   , enter a file name and the

   Enter key

5. Run the script by issuing

   bash [filename]

Good luck!

/Patrik

Edit: Corrected the path of the ssl certificate directory (hope it's right this time)

I did not remember the directory correctly. Try this?

!/bin/bash

for c in `ls --format single-column /config/ssl/ssl.crt/`;
do
    arr=($(openssl x509 -noout -text -in /config/ssl/ssl.crt${c} |grep -E "sha1"))

    if [ -n "${arr[2]}" ]
    then
        echo ${c}
    fi

done

Many Thanks Patrik.. It worked it seems. I could now see the result in following format..Actually I am able to see the cert names... But I belive it only shows the SHA 1 cert.... Will it be possible to fetch the Vserers which has the SHA cert attached? Anyway A great thanks to you..

 

Error opening Certificate /config/ssl/ssl.crt2014_stg_xxxmarketingCert.crt 23160:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/config/ssl/ssl.crt2014_stg_xxxmarketingCert.crt','r') 23160:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: unable to load certificate Error opening Certificate /config/ssl/ssl.crt2014_stg_xxxmarketingPrivateKey.crt 23163:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/config/ssl/ssl.crt2014_stg_xxxmarketingPrivateKey.crt','r') 23163:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: unable to load certificate Error opening Certificate /config/ssl/ssl.crtAcuity_SLS_199.253.19.122_8002.crt 23166:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/config/ssl/ssl.crtAcuity_SLS_199.253.19.122_8002.crt','r') 23166:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: unable to load certificate

 

Please give me the output of this command:

 

openssl x509 -noout -text -in /config/ssl/ssl.crt/2014_stg_xxxmarketingCert.crt

 

And use the Preformatted code option to paste the information (paste the command output here, mark the output and hit CTRL+k).

 

/Patrik

 

Holy shit that's a lot of certificates. :)

 

Let's verify that the script worked...

 

Send me the output of this please?

 

openssl x509 -noout -text -in /config/ssl/ssl.crt/

 

Good stuff. Then if the output you got from the script was ONLY errors you should be sha1 free. 🙂

You can try this script as well to get some more output. If it works as expected you should see:

Here's the sha1 certificates:
... list of SHA1 certificate if any

Here's Here's the SHA256/384/512 certificates:
... list of SHA256/384/512 certificates

And here's the script:

echo "Here's the sha1 certificates:"

for c in `ls --format single-column /config/ssl/ssl.crt/certificate_d/`;
do
    arr=($(openssl x509 -noout -text -in /config/ssl/ssl.crt/certificate_d/${c} |grep -E "sha1"))


    if [ -n "${arr[2]}" ]
    then
        echo "SHA1: ${c}"
    fi
done

echo "Here's the SHA256/384/512 certificates:"
for c in `ls --format single-column /config/ssl/ssl.crt/certificate_d/`;
do
    arr2=($(openssl x509 -noout -text -in /config/ssl/ssl.crt/certificate_d/${c} | grep -E 'Signature\sAlgorithm\:\s+(sha|SHA)(256|384|512)'))

        if [ -n "${arr2[2]}" ]
    then
        echo "SHA256/384/512: ${c}"
    fi

done

Please ignore the certificates that had errors before. I don't have access to a linux shell at the moment so I can't write a reliable script to filter them out.

/Patrik

Just in case you find one on the other LB's, here's how to check it manually:

 

1. Take a SHA1 certificate from the list.
2. Search for the name of the certificate in the configuration files (/config/bigip.conf and /config/partitions/*) to locate which SSL profiles they belong to
3. Repeat the process, but search for the name of the SSL profile instead. Then you will be able to see the virtual server name.
4. Rinse, repeat. :)

Good luck!

 

/Patrik