Professional Documents
Culture Documents
x)
Non-Diagnostic
Topic
This article applies to BIG-IP 11.x - 13.x. For information about other versions, refer to the following article:
K7574: Monitoring SSL certificate expiration on the BIG-IP system (9.x - 10.x)
Purpose
You should consider using this procedure under the following condition:
Prerequisites
You must meet one of the following prerequisites to use this procedure:
Description
Client SSL profiles use SSL certificates to authenticate secure websites and to encrypt the data being
transferred between the BIG-IP system and remote clients. SSL certificates are typically signed by a trusted
Certficate Authority (CA) and are valid for a specified length of time. When SSL certificates expire, web
browsers issue a certificate expiration warning and discourage remote clients from accessing the secure
website. To avoid this, you should ensure that your trusted CA signed SSL certificates are renewed prior to
the expiration date. For more information on renewing SSL certificates, refer to the Working with existing
SSL certificates/keys section in one of the following articles:
K14620: Managing SSL certificates for BIG-IP systems using the Configuration utility
K15462: Managing SSL certificates for BIG-IP systems using the tmsh utility
To configure the BIG-IP system to send alert emails in advance of SSL certificate expiration, refer to
K15288: Sending an advance email alert for impending SSL certificate expiration.
You can use the following procedures to manually monitor for expired or expiring SSL certificates, or to list
the expiration dates for all SSL certificates using either the tmsh utility or the Configuration utility.
Procedures
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
13.0.0
11.0.0 through 12.1.2
The tmsh check-cert command examines the expiration date of each certificate stored on the BIG-IP
system, including CA bundles. By default, the check-cert command checks for SSL certificates that have
expired or will expire within 30 days. Expiration information is printed to the screen and logged to the /var/log
/ltm file. Additionally, the check-cert command is automated to run on a weekly schedule, called from /etc
/cron.weekly/5checkcert. To manually run the tmsh check-cert command using tmsh, perform the following
procedure.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
tmsh
2. To check the expiration status of the SSL certificates in the /Common partition, type the following
command:
The following output indicates that the site1.crt SSL certificate in the /Common partition will expire on
the specified date and site2.crt expired on 01/31/2014.
CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014
GMT
CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site2.crt expired on Jan 31 16:00:02 2014
GMT
3. To check the expiration status of all SSL certificates in all partitions, type the following command:
The following output indicates that the test4.org SSL certificate in the /Common partition and the test5.
org SSL certificate in the /tester partition will expire on the specified date.
The tmsh check-cert command can also list the expiration dates of SSL certificates regardless of impending
or past expiration. To list the expiration dates of all SSL certificates, perform the following procedure.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Note: A large amount of information can be displayed as expiration information for SSL certificates
stored in bundle files is displayed as well. Consider redirecting the output to either > filename or | less.
The following partial output lists the expiration dates and certificate file names for the SSL certificates
stored in the /Common partition:
3. To view the expiration dates of all SSL certificates in all partitions, type the following command:
3.
The following partial output lists the expiration dates and file names for the SSL certificates stored in
the /Common and the /tester partitions:
Supplemental Information
K15288: Sending an advance email alert for impending SSL certificate expiration
K13349: Verifying SSL certificate and key pairs from the command line (11.x - 13.x)
K4146: Creating a self-signed certificate that expires in a different value than the default value (9.x)