Health Monitor for an expired SSL Certificate?

Question

Is it possible to monitor pool members (or, I suppose, a VIP) for an expired SSL Certificate?&nbsp;
Thanks.&nbsp;

jaikumar_f5 · Answer

Can you clarify your question,
Are you asking if one can create a https monitor with cert and key values with some expired cert, what will be the state of the pool members ? Will it be marked up or down ?
The cert and the key values in the https monitors will have no effect. It will have effect only when the backend server actually requires client authentication, in this case the LTM would be the client
So it totally depends how your server is requiring.

wsanders_233261 · Answer

I find the Nagios check_http plugin to be the easiest and most reliable way of doing it. You can grovel through the output of openssl s_client also but the output from each cert and each version of openssl may be just a little bit different. You also get advance notice of certificate expiration; presumably you might find it helpful in advance so you can renew before it expires.&nbsp;
Like jaikumar said the F5 http monitor can't do this by itself. You could fashion a test cgi page in your http server to return an HTTP status based on the certificate validity but that's overthinking it, but that would be too much work for me. AFAIK the F5 ignores the validity of the SSL cert on the inside, as long as it exists.&nbsp;

Forum Discussion

Health Monitor for an expired SSL Certificate?

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

CheckMk F5 Certificate Expiration using SNMP

Re: Management Certificate

Expired ssl warning

My Security+ Certification Journey

Certificate Expiry Email alert configuration