cert expirations

Hi,

 

 

A search on AskF5 for certificate expiration leads to:

 

 

SOL7574: Monitoring SSL certificate expiration on the BIG-IP system

 

https://support.f5.com/kb/en-us/solutions/public/7000/500/sol7574.html

 

 

 

checkcert -h

 

 

Usage: checkcert

 

 

In its main form (no arguments), checkcert examines all certificates

 

/config/ssl/ssl.crt and will log any expired ones to local0.warning

 

 

Usage: checkcert [-v]|[-[s|o|e]] [-k num] [-d directory] [-f file]

 

-v Verbose mode (forces -o)

 

-k Skip bundles with more than certs (default=20)

 

-f file Check

 

-d dir Check all files in /ssl.crt

 

 

Only one of these options may be specified:

 

-s log to syslog LOCAL0.WARNING (default)

 

-o log to stdout

 

-e log to stderr

 

 

 

 

Aaron

You can also use custom SNMP traps to do this, since there is a message you can capture from /var/log/ltm warning about cert expiration.

The procedure is explained in SOL3727:

https://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html Click here

My entry in the user_alert.conf file looks like this:

 
 alert EXPIRING_SSL_CERT "Certificate (.*) in file (.*) will expire on (.*)" { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.500" } 
 

The OID is "made up" according to the SOL.

Denny