find unused ssl certificates

you may have this already but this command will check the cert expiry

run /sys crypto check-cert

I'm not aware of any tools to find unused certs, you may need to develop one to suit your needs. The quick script below may be of use, it'll grap all the SSL profiles used on VSs, then check what certs are used in those profiles. Then grabs all the certs on the box and compares that against the used certs. There should be 3 files generated, allcerts, usedcerts and unusedcerts. Note this only checks for usage via VS profiles, not sure about other places they could be used, e.g. profiles applied dynamically via irules or APM usage. You could add keys if you wanted.

cheers

!/bin/bash

[ -f usedcerts ] && rm usedcerts

CLIENTSSL=`tmsh -q -c "cd /;show ltm virtual recursive profiles" \
           | grep -i 'ClientSSL'|awk '!a[$4]++ {print $4}'`
SERVERSSL=`tmsh -q -c "cd /;show ltm virtual recursive profiles" \
           | grep -i 'ServerSSL'|awk '!a[$4]++ {print $4}'`

for x in ${CLIENTSSL}
    do
        `tmsh -q -c "cd /;list ltm profile client-ssl $x cert chain" \
         | awk '/cert | chain / && !/none/ {print "/"$2 >> "usedcerts"}'`
    done

for x in ${SERVERSSL}
    do
        `tmsh -q -c "cd /;list ltm profile server-ssl $x cert chain" \
        | awk '/cert | chain / && !/none/ {print "/"$2 >> "usedcerts"}'`
    done

[ -f usedcerts ] || { echo "No certs used"; exit; }

`tmsh -q -c "cd /;list sys crypto recursive cert" | grep '^sys' | awk '{print $4 > "allcerts"}'`

grep -Fvf usedcerts allcerts > unusedcerts