Forum Discussion

6 Replies

  • tmsh list sys file ssl-cert all

    Above command will diplay all the SSL certs which are installed in your system with all the details.

    If you are looking for only expiration dates, try below command.

    tmsh list sys file ssl-cert expiration-string

    Hope this helps.

    -Jinshu

  • a_rosier_147081's avatar
    a_rosier_147081
    Historic F5 Account

    You will need to write a script that extracts the cert names (hint: use grep), and then runs the appropriate openssl command (maybe again in combination with grep), to extract the expiry date. As far as I am aware there will be no easy way to do it in TMSH. But may be worth checking out contextual help (? or Tab completion), to see if the option is there. Personally I doubt it is there.

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account

    One other possibility. I created a 29, 30 and 31 day valid SSL certificate. It seems this command reports SSL certs that have 30 days to expiration:

    tmsh run /sys crypto check-cert
    CN=example.com,OU=one,O=one,L=one,ST=WA,C=us in file /Common/test2.crt will expire on Dec  6 22:05:11 2016 GMT
    CN=example.com,OU=one,O=one,L=one,ST=WA,C=us in file /Common/test3.crt will expire on Dec  8 22:07:47 2016 GMT
    
  • Would you be able to use the command:

    run /sys crypto check-cert
    

    but add a few greps ? something like | grep 'will expire' ? I tried that and it didn't work for me.

    Any thoughts ?

  • run sys crypto check-cert verbose enabled

    list sys crypto cert all

    list sys file ssl-cert all-properties

     

    Device Service Clustering (DSC): The BIG-IP system uses SSL certificates to establish a trust relationship between devices. In a device trust, a BIG-IP device can act as a certificate signing authority or a subordinate non-authority.

    /config/ssl/ssl.crt/dtdi.crt Device Management > Device Trust > Identity The dtdi.crt is the identity certificate that is used by a device to validate its identity with another device.

    /config/ssl/ssl.crt/dtca.crt Device Management > Device Trust > Local Domain The dtca.crt is the CA root certificate for the trust network.

     

    Configuration utility: Device certificates: The BIG-IP system uses the device certificates for HTTPS connections to the Configuration utility and device-to-device communication processes.

    /config/httpd/conf/ssl.crt/server.crt BIG-IP 13.0.0 and later: System > Certificate Management > Device Certificate Management > Device Certificate BIG-IP versions prior to 13.0.0: System > Device Certificates > Device Certificate The server.crt is a certificate used for HTTPS connections to the Configuration utility and device-to-device communication processes. 

     

     

    Trusted device certificates: The local BIG-IP device uses trusted device certificates to authenticate certain connections from a remote BIG-IP device. For example, the big3d agent of the local BIG-IP DNS or BIG-IP LTM system uses the trusted device certificate obtained from a remote F5 device to authenticate the remote device's gtmd or iqdump requests.

    /config/big3d/client.crt BIG-IP 13.0.0 and later: System > Certificate Management > Device Certificate Management > Device Trust Certificates BIG-IP versions prior to 13.0.0: System > Device Certificates > Trusted Device Certificates The local BIG-IP device uses the trusted device certificates to authenticate certain connections from a remote BIG-IP device.

     

    Trusted server certificates: The BIG-IP GTM system uses trusted server certificates when the local BIG-IP DNS system authenticates itself to a remote F5 device. For example, the local BIG-IP DNS system uses the trusted server certificate when the BIG-IP DNS system's gtmd process or iqdump program attempts to connect to the big3d process on a remote F5 device.

    /config/gtm/server.crt BIG-IP 11.5.0 and later: DNS > GSLB > Servers > Trusted Server Certificates BIG-IP versions prior to 11.5.0: Global Traffic > Servers The trusted server certificates are used when the local GTM system authenticates itself to a remote F5 device.

     

    Client SSL profile:

    https://devcentral.f5.com/s/question/0D51T00006i7kIi/identify-which-virtual-servers-are-using-a-specific-ssl-certificate

    certificate /config/filestore/files_d/<partition>_d/certificate_d/ /config/filestore/files_d/Common_d/certificate_d/