K14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x - 13.

x)

Non-Diagnostic

Original Publication Date: Mar 28, 2013

Update Date: Feb 5, 2018

Topic

This article applies to BIG-IP 11.x - 13.x. For information about other versions, refer to the following article:

K7574: Monitoring SSL certificate expiration on the BIG-IP system (9.x - 10.x)

Purpose

You should consider using this procedure under the following condition:

You need to monitor Secure Sockets Layer (SSL) certificate expiration.

Prerequisites

You must meet one of the following prerequisites to use this procedure:

You must have access to the TMOS Shell (tmsh).

You must have access to the Configuration utility.

Description

Client SSL profiles use SSL certificates to authenticate secure websites and to encrypt the data being
transferred between the BIG-IP system and remote clients. SSL certificates are typically signed by a trusted
Certficate Authority (CA) and are valid for a specified length of time. When SSL certificates expire, web
browsers issue a certificate expiration warning and discourage remote clients from accessing the secure
website. To avoid this, you should ensure that your trusted CA signed SSL certificates are renewed prior to
the expiration date. For more information on renewing SSL certificates, refer to the Working with existing
SSL certificates/keys section in one of the following articles:

K14620: Managing SSL certificates for BIG-IP systems using the Configuration utility
K15462: Managing SSL certificates for BIG-IP systems using the tmsh utility

To configure the BIG-IP system to send alert emails in advance of SSL certificate expiration, refer to
K15288: Sending an advance email alert for impending SSL certificate expiration.

You can use the following procedures to manually monitor for expired or expiring SSL certificates, or to list
the expiration dates for all SSL certificates using either the tmsh utility or the Configuration utility.

Monitoring the expiration of SSL certificates using the Configuration utility

 Monitoring the expiration of SSL certificates using tmsh
Viewing the expiration dates of all SSL certificates using tmsh

Procedures

Monitoring the expiration of SSL certificates using the Configuration utility

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

13.0.0

1. Log in to the Configuration utility.

2. Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List.
3. Optional: If your SSL certificates reside in partitions other than the Common partition, select the
partition name from the Partition box.
4. Under Expiration, look for the following SSL certificate expiration indicators: Red exclamation
icons indicate expired certificates, yellow exclamation icons indicates expiration within 30 days.

11.0.0 through 12.1.2

1. Log in to the Configuration utility.

2. Navigate to System > File Management > SSL Certificate List.
3. Optional: If your SSL certificates reside in partitions other than the Common partition, select the
partition name from the Partition box
4. Under Expiration, look for the following SSL certificate expiration indicators: Red exclamation
icons indicate expired certificates, yellow exclamation icons indicate expiration within 30 days.

Monitoring the expiration of SSL certificates using tmsh

The tmsh check-cert command examines the expiration date of each certificate stored on the BIG-IP
system, including CA bundles. By default, the check-cert command checks for SSL certificates that have
expired or will expire within 30 days. Expiration information is printed to the screen and logged to the /var/log
/ltm file. Additionally, the check-cert command is automated to run on a weekly schedule, called from /etc
/cron.weekly/5checkcert. To manually run the tmsh check-cert command using tmsh, perform the following
procedure.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to tmsh by typing the following command:

tmsh

2. To check the expiration status of the SSL certificates in the /Common partition, type the following
command:

run /sys crypto check-cert

The following output indicates that the site1.crt SSL certificate in the /Common partition will expire on
the specified date and site2.crt expired on 01/31/2014.
 CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014
GMT
CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site2.crt expired on Jan 31 16:00:02 2014
GMT

3. To check the expiration status of all SSL certificates in all partitions, type the following command:

cd /; run /sys crypto check-cert

The following output indicates that the test4.org SSL certificate in the /Common partition and the test5.
org SSL certificate in the /tester partition will expire on the specified date.

CN=test.org,C=US in file /Common/test4.org.crt will expire on Oct 5 21:08:42 2013 GMT

CN=test.org,C=US in file /tester/test5.org.crt will expire on Oct 5 21:09:08 2013 GMT

Viewing the expiration dates of all SSL certificates using tmsh

The tmsh check-cert command can also list the expiration dates of SSL certificates regardless of impending
or past expiration. To list the expiration dates of all SSL certificates, perform the following procedure.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the Advanced Shell (bash).

2. To view the expiration dates for all of the SSL certificates, included CA bundles, in the /Common
partition, type the following command:

tmsh run /sys crypto check-cert verbose enabled

Note: A large amount of information can be displayed as expiration information for SSL certificates
stored in bundle files is displayed as well. Consider redirecting the output to either > filename or | less.

The following partial output lists the expiration dates and certificate file names for the SSL certificates
stored in the /Common partition:

Aug 22 16:41:51 2018 GMT | OU=Equifax Secure Certificate Authority,O=Equifax,C=US | /Common

/ca-bundle.crt: OK
Dec 10 18:40:23 2018 GMT | OU=DSTCA E1,O=Digital Signature Trust Co.,C=US | /Common/ca-
bundle.crt: OK
Dec 9 19:47:26 2018 GMT | OU=DSTCA E2,O=Digital Signature Trust Co.,C=US | /Common/ca-
bundle.crt: OK
Aug 1 23:59:59 2028 GMT | OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,
C=US | /Common/ca-bundle.crt: OK
Jan 28 12:00:00 2028 GMT | CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE |
/Common/ca-bundle.crt: OK
Dec 15 08:00:00 2021 GMT | CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 | /Common
/ca-bundle.crt: OK

3. To view the expiration dates of all SSL certificates in all partitions, type the following command:
 3.

tmsh -c 'cd /; run /sys crypto check-cert verbose enabled'

The following partial output lists the expiration dates and file names for the SSL certificates stored in
the /Common and the /tester partitions:

Aug 22 16:41:51 2018 GMT | OU=Equifax Secure Certificate Authority,O=Equifax,C=US | /Common

/ca-bundle.crt: OK
Dec 10 18:40:23 2018 GMT | OU=DSTCA E1,O=Digital Signature Trust Co.,C=US | /Common/ca-
bundle.crt: OK
Dec 9 19:47:26 2018 GMT | OU=DSTCA E2,O=Digital Signature Trust Co.,C=US | /Common/ca-
bundle.crt: OK
Aug 1 23:59:59 2028 GMT | OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,
C=US | /Common/ca-bundle.crt: OK
Jan 28 12:00:00 2028 GMT | CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE |
/Tester/ca-bundle2.crt: OK
Dec 15 08:00:00 2021 GMT | CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2 | /Tester
/ca-bundle2.crt: OK

Supplemental Information

K15288: Sending an advance email alert for impending SSL certificate expiration
K13349: Verifying SSL certificate and key pairs from the command line (11.x - 13.x)
K4146: Creating a self-signed certificate that expires in a different value than the default value (9.x)