Forum Discussion

Duncan_Proffitt's avatar
Duncan_Proffitt
Icon for Altostratus rankAltostratus
Dec 22, 2017

Mass print of SSL certs and their Virtual Servers/Profiles

I have a fairly onerous task ahead of me and would like some advice please.

 

I have 11 BigIP to administer and all of them have a "bazillion" SSL certificates. All of those certificates will be attached to something.

 

Having read this post about Which Virtual Contents are associated with which SSL cert I got to thinking how would I automate this.

 

So, my question is; Is there a command that will give me each one of the certs with their profiles (and then their servers) that I can put into a text file and start going through each one to see if its still in use or not?

 

The equiring mind of a desperate F5-er would like to know, or his New Year will be locked in a darkened room running single line commands .. .

 

application delivery
BIG-IP
security
ssl
TMSH

12 Replies

Sort By
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Dec 22, 2017

    e.g.

    // config

root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys file ssl-cert certone.crt
sys file ssl-cert certone.crt {
    certificate-key-size 2048
    checksum SHA1:1021:6b81a94a572bafe3b3bc25384a4cfe747b5504c0
    create-time 2017-12-23:07:21:10
    created-by admin
    expiration-date 1545520870
    expiration-string "Dec 22 23:21:10 2018 GMT"
    issuer CN=certone.local,C=US
    key-type rsa-public
    last-update-time 2017-12-23:07:21:10
    mode 33188
    revision 1
    serial-number 251652070
    size 1021
    source-path /config/ssl/ssl.crt/certone.crt
    subject CN=certone.local,C=US
    updated-by admin
    version 3
}
root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl client-ssl-one
ltm profile client-ssl client-ssl-one {
    app-service none
    cert certone.crt
    cert-key-chain {
        certone {
            cert certone.crt
            key certone.key
        }
    }
    chain none
    inherit-certkeychain false
    key certone.key
    passphrase none
}
root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual test-one
ltm virtual test-one {
    destination 1.2.3.4:443
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        client-ssl-one {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 4
}

// one-liner script

[root@bip1a:Active:In Sync] config  for i in `tmsh list sys file ssl-cert one-line |awk '{print $4}'`; do echo "===== cert: $i ===="; for j in `tmsh list ltm profile client-ssl one-line |grep $i |awk '{print $4}'`; do echo "----- profile: $j -----"; for k in `tmsh list ltm virtual one-line |grep $j |awk '{print $3}'`; do echo "virtual: $k"; done; done; echo ""; done
===== cert: ca-bundle.crt ====

===== cert: certone.crt ====
----- profile: client-ssl-one -----
virtual: test-one

===== cert: default.crt ====
----- profile: clientssl -----
----- profile: clientssl-insecure-compatible -----
----- profile: clientssl-secure -----
----- profile: crypto-server-default-clientssl -----
----- profile: wom-default-clientssl -----

===== cert: f5-irule.crt ====
    • Duncan_Proffitt's avatar
      Duncan_Proffitt
      Icon for Altostratus rankAltostratus
      Dec 27, 2017

      You amazing human being!! I want your babies!!

       

      In other words;

       

      Thank you very much, the one liner is perfect!!

       

      D.

       

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 22, 2017

    e.g.

    // config

root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys file ssl-cert certone.crt
sys file ssl-cert certone.crt {
    certificate-key-size 2048
    checksum SHA1:1021:6b81a94a572bafe3b3bc25384a4cfe747b5504c0
    create-time 2017-12-23:07:21:10
    created-by admin
    expiration-date 1545520870
    expiration-string "Dec 22 23:21:10 2018 GMT"
    issuer CN=certone.local,C=US
    key-type rsa-public
    last-update-time 2017-12-23:07:21:10
    mode 33188
    revision 1
    serial-number 251652070
    size 1021
    source-path /config/ssl/ssl.crt/certone.crt
    subject CN=certone.local,C=US
    updated-by admin
    version 3
}
root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl client-ssl-one
ltm profile client-ssl client-ssl-one {
    app-service none
    cert certone.crt
    cert-key-chain {
        certone {
            cert certone.crt
            key certone.key
        }
    }
    chain none
    inherit-certkeychain false
    key certone.key
    passphrase none
}
root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual test-one
ltm virtual test-one {
    destination 1.2.3.4:443
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        client-ssl-one {
            context clientside
        }
        tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
    vs-index 4
}

// one-liner script

[root@bip1a:Active:In Sync] config  for i in `tmsh list sys file ssl-cert one-line |awk '{print $4}'`; do echo "===== cert: $i ===="; for j in `tmsh list ltm profile client-ssl one-line |grep $i |awk '{print $4}'`; do echo "----- profile: $j -----"; for k in `tmsh list ltm virtual one-line |grep $j |awk '{print $3}'`; do echo "virtual: $k"; done; done; echo ""; done
===== cert: ca-bundle.crt ====

===== cert: certone.crt ====
----- profile: client-ssl-one -----
virtual: test-one

===== cert: default.crt ====
----- profile: clientssl -----
----- profile: clientssl-insecure-compatible -----
----- profile: clientssl-secure -----
----- profile: crypto-server-default-clientssl -----
----- profile: wom-default-clientssl -----

===== cert: f5-irule.crt ====
    • Duncan_Proffitt's avatar
      Duncan_Proffitt
      Icon for Altostratus rankAltostratus
      Dec 27, 2017

      You amazing human being!! I want your babies!!

       

      In other words;

       

      Thank you very much, the one liner is perfect!!

       

      D.

       

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 28, 2017

    how would I get the details off a non-common partition?

    do you happen to have virtual server which uses clientssl profile from another partition or clientssl profile that uses certificate from another partition? if yes, it will not be recognized by the one-liner script (below). it is because how the script is built (we are filtering virtual server based on clientssl profile based on certificate in specific partition).

    there are 4 folders including root.

    root@(bip1a)(cfg-sync In Sync)(Active)(/)(tmos) list sys folder |grep sys
sys folder / {
sys folder Common {
sys folder asgard {
sys folder jotunheim {

    each folder except root has its own certificate, clientssl profile and virtual server.

    // common

root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list sys file ssl-cert cert-one.crt
sys file ssl-cert cert-one.crt {
    certificate-key-size 2048
    checksum SHA1:1013:76f6b8023a53f91defdb335f1df514337070c631
    create-time 2017-12-28:21:18:37
    created-by admin
    expiration-date 1546003117
    expiration-string "Dec 28 13:18:37 2018 GMT"
    issuer CN=one.local,C=US
    key-type rsa-public
    last-update-time 2017-12-28:21:18:37
    mode 33188
    revision 1
    serial-number 252134317
    size 1013
    source-path /config/ssl/ssl.crt/cert-one.crt
    subject CN=one.local,C=US
    updated-by admin
    version 3
}
root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl clientssl-one cert key
ltm profile client-ssl clientssl-one {
    cert cert-one.crt
    key cert-one.key
}
root@(bip1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual vs-one profiles
ltm virtual vs-one {
    profiles {
        clientssl-one {
            context clientside
        }
        tcp {
            context all
        }
    }
}

// asgard

root@(bip1a)(cfg-sync In Sync)(Active)(/asgard)(tmos) list sys file ssl-cert cert-heimdall.crt
sys file ssl-cert cert-heimdall.crt {
    certificate-key-size 2048
    checksum SHA1:1025:e787e6f665058d1d43d4d7d780ec69014bbfbcc5
    create-time 2017-12-28:21:15:19
    created-by admin
    expiration-date 1546002919
    expiration-string "Dec 28 13:15:19 2018 GMT"
    issuer CN=heimdall.local,C=US
    key-type rsa-public
    last-update-time 2017-12-28:21:15:19
    mode 33188
    partition asgard
    revision 1
    serial-number 252134119
    size 1025
    source-path /config/ssl/ssl.crt/cert-heimdall.crt
    subject CN=heimdall.local,C=US
    updated-by admin
    version 3
}
root@(bip1a)(cfg-sync In Sync)(Active)(/asgard)(tmos) list ltm profile client-ssl clientssl-heimdall cert key
ltm profile client-ssl clientssl-heimdall {
    cert cert-heimdall.crt
    key cert-heimdall.key
}
root@(bip1a)(cfg-sync In Sync)(Active)(/asgard)(tmos) list ltm virtual vs-heimdall profiles
ltm virtual vs-heimdall {
    profiles {
        /Common/tcp {
            context all
        }
        clientssl-heimdall {
            context clientside
        }
    }
}

// jotunheim

root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list sys file ssl-cert loki-cert.crt
sys file ssl-cert loki-cert.crt {
    certificate-key-size 2048
    checksum SHA1:1013:bbf5b8a4020b415690e6f87a1c6d8222d6aa4a7d
    create-time 2017-12-28:21:16:09
    created-by admin
    expiration-date 1546002969
    expiration-string "Dec 28 13:16:09 2018 GMT"
    issuer CN=loki.local,C=US
    key-type rsa-public
    last-update-time 2017-12-28:21:16:09
    mode 33188
    partition jotunheim
    revision 1
    serial-number 252134169
    size 1013
    source-path /config/ssl/ssl.crt/loki-cert.crt
    subject CN=loki.local,C=US
    updated-by admin
    version 3
}
root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list ltm profile client-ssl clientssl-loki cert key
ltm profile client-ssl clientssl-loki {
    cert loki-cert.crt
    key loki-cert.key
}
root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list ltm virtual vs-loki profiles
ltm virtual vs-loki {
    profiles {
        /Common/tcp {
            context all
        }
        clientssl-loki {
            context clientside
        }
    }
}

    but this jotunheim folder has special virtual server/clientssl profile which refers to certificate in common folder. this virtual server/clientssl profile will not be flagged by the one-liner script below.

    root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list ltm virtual vs-special profiles
ltm virtual vs-special {
    profiles {
        /Common/tcp {
            context all
        }
        clientssl-special {
            context clientside
        }
    }
}
root@(bip1a)(cfg-sync In Sync)(Active)(/jotunheim)(tmos) list ltm profile client-ssl clientssl-special cert key
ltm profile client-ssl clientssl-special {
    cert /Common/cert-one.crt
    key /Common/cert-one.key
}

    the one-liner script

    [root@bip1a:Active:In Sync] config  for p in `tmsh -c "cd /; list sys folder one-line" |awk '{if($3~/^\//) {print $3; next} {print "/" $3}}'`; do echo "===== partition: $p ====="; for i in `tmsh -c "cd $p; list sys file ssl-cert one-line" |awk '{print $4}'`; do echo "----- cert: $i -----"; for j in `tmsh -c "cd $p; list ltm profile client-ssl one-line" |grep $i\ |awk '{print $4}'`; do echo "***** profile: $j *****"; for k in `tmsh -c "cd $p; list ltm virtual one-line" |grep $j\ |awk '{print $3}'`; do echo "..... virtual: $k ....."; echo ""; done; done; done; echo ""; done
===== partition: / =====

===== partition: /Common =====
----- cert: ca-bundle.crt -----
----- cert: cert-one.crt -----
***** profile: clientssl-one *****
..... virtual: vs-one .....

----- cert: default.crt -----
***** profile: clientssl *****
***** profile: clientssl-insecure-compatible *****
***** profile: clientssl-secure *****
***** profile: crypto-server-default-clientssl *****
***** profile: wom-default-clientssl *****
----- cert: f5-irule.crt -----

===== partition: /asgard =====
----- cert: cert-heimdall.crt -----
***** profile: clientssl-heimdall *****
..... virtual: vs-heimdall .....


===== partition: /jotunheim =====
----- cert: loki-cert.crt -----
***** profile: clientssl-loki *****
..... virtual: vs-loki .....
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Dec 28, 2017

    how would I get the details off a non-common partition?

    i have another idea which uses icontrol rest and jq. since icontrol rest is not limited to single partition. all virtual servers and clientssl profiles should be recognized even it uses configuration object from another partition.

    [root@bip1a:Active:In Sync] config  for i in `curl -sk -u admin:admin https://localhost/mgmt/tm/sys/file/ssl-cert |jq '.items[]|{fullPath}' |awk '/fullPath/ {print $2}'`; do echo "===== cert: $i ====="; for j in `curl -sk -u admin:admin https://localhost/mgmt/tm/ltm/profile/client-ssl |jq ".items[]|select(.cert==$i)|{fullPath}" |awk '/fullPath/ {print $2}'`; do echo "----- profile: $j -----"; for k in `curl -sk -u admin:admin https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true |jq ".items[]|select(.profilesReference.items[].fullPath==$j)|{fullPath}" |awk '/fullPath/ {print $2}'`; do echo "virtual: $k"; echo ""; done; done; echo ""; done
===== cert: "/Common/ca-bundle.crt" =====

===== cert: "/Common/cert-one.crt" =====
----- profile: "/Common/clientssl-one" -----
virtual: "/Common/vs-one"

----- profile: "/jotunheim/clientssl-special" -----
virtual: "/jotunheim/vs-special"


===== cert: "/Common/default.crt" =====
----- profile: "/Common/clientssl" -----
----- profile: "/Common/clientssl-insecure-compatible" -----
----- profile: "/Common/clientssl-secure" -----
----- profile: "/Common/crypto-server-default-clientssl" -----
----- profile: "/Common/wom-default-clientssl" -----

===== cert: "/Common/f5-irule.crt" =====

===== cert: "/asgard/cert-heimdall.crt" =====
----- profile: "/asgard/clientssl-heimdall" -----
virtual: "/asgard/vs-heimdall"


===== cert: "/jotunheim/loki-cert.crt" =====
----- profile: "/jotunheim/clientssl-loki" -----
virtual: "/jotunheim/vs-loki"
    • Duncan_Proffitt's avatar
      Duncan_Proffitt
      Icon for Altostratus rankAltostratus
      Dec 29, 2017

      Thank you for all of that. So, on the GUI, I navigate to SSL Cert List There I drop down the partition drop-down and not only do I have Common, but I have two other partitions.

       

      Lets call them red and green

       

      Both Red and Green use Common partition/path certs as well as certs individual to their own partition.

       

      You have very kindly helped me previously with the Common certs, and once again, you have scored another goal with this one liner!!

       

      Thank you so much again!

       

    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      Dec 29, 2017

      very welcome. what you are asking makes sense. i was enjoying playing around with it and hope i can use it too!

       

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 28, 2017

    how would I get the details off a non-common partition?

    i have another idea which uses icontrol rest and jq. since icontrol rest is not limited to single partition. all virtual servers and clientssl profiles should be recognized even it uses configuration object from another partition.

    [root@bip1a:Active:In Sync] config  for i in `curl -sk -u admin:admin https://localhost/mgmt/tm/sys/file/ssl-cert |jq '.items[]|{fullPath}' |awk '/fullPath/ {print $2}'`; do echo "===== cert: $i ====="; for j in `curl -sk -u admin:admin https://localhost/mgmt/tm/ltm/profile/client-ssl |jq ".items[]|select(.cert==$i)|{fullPath}" |awk '/fullPath/ {print $2}'`; do echo "----- profile: $j -----"; for k in `curl -sk -u admin:admin https://localhost/mgmt/tm/ltm/virtual?expandSubcollections=true |jq ".items[]|select(.profilesReference.items[].fullPath==$j)|{fullPath}" |awk '/fullPath/ {print $2}'`; do echo "virtual: $k"; echo ""; done; done; echo ""; done
===== cert: "/Common/ca-bundle.crt" =====

===== cert: "/Common/cert-one.crt" =====
----- profile: "/Common/clientssl-one" -----
virtual: "/Common/vs-one"

----- profile: "/jotunheim/clientssl-special" -----
virtual: "/jotunheim/vs-special"


===== cert: "/Common/default.crt" =====
----- profile: "/Common/clientssl" -----
----- profile: "/Common/clientssl-insecure-compatible" -----
----- profile: "/Common/clientssl-secure" -----
----- profile: "/Common/crypto-server-default-clientssl" -----
----- profile: "/Common/wom-default-clientssl" -----

===== cert: "/Common/f5-irule.crt" =====

===== cert: "/asgard/cert-heimdall.crt" =====
----- profile: "/asgard/clientssl-heimdall" -----
virtual: "/asgard/vs-heimdall"


===== cert: "/jotunheim/loki-cert.crt" =====
----- profile: "/jotunheim/clientssl-loki" -----
virtual: "/jotunheim/vs-loki"
    • Duncan_Proffitt's avatar
      Duncan_Proffitt
      Icon for Altostratus rankAltostratus
      Dec 29, 2017

      Thank you for all of that. So, on the GUI, I navigate to SSL Cert List There I drop down the partition drop-down and not only do I have Common, but I have two other partitions.

       

      Lets call them red and green

       

      Both Red and Green use Common partition/path certs as well as certs individual to their own partition.

       

      You have very kindly helped me previously with the Common certs, and once again, you have scored another goal with this one liner!!

       

      Thank you so much again!

       

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Dec 29, 2017

      very welcome. what you are asking makes sense. i was enjoying playing around with it and hope i can use it too!