Do you know when the SSL certificate expires on your F5 Load balancers?
Every single deployment of LTM ® we’ve encountered has SSL termination included in it. Think about it – it makes sense, it’s one of the strongest advantages of the F5 hardware.
However, every single deployment we’ve encountered also had SSL certificates configured that have expired or were expiring in the next three months. Apparently, staying on top of your SSL certs isn’t as straightforward as you’d want it to be.
So, we thought we’d put in the effort to summarize in a short post how does one get notified, ahead of time, when SSL certificates expire on their F5 BIG-IP DNS LTM:
- Buy Enterprise Manager – it has a built-in feature for doing this.
- Get BIG-IQ, can be done there, too.
- Write a script – read DevCentral and SOL15288.
- Run indeni – you can get a limited license free and easy by going here. Within 45 minutes you can easily know which SSL certs need refresh, as well as hundreds of other possible issues lurking in your F5 configuration. You can even run it every 6 months or so, to make sure you’re in top shape.
For your information, this is how the alert would look like in indeni:
Some SSL certificates are about to expire or have expired.
Certificates expired or about to expire:
www.yoursite.com expires on November 30, 2016
Manual Remediation Steps:
Replace the SSL certificates with new ones.
For more information on how to manage certificates, refer to Managing SSL Certificates for Local Traffic in the F5 user guide.
How does this alert work?
indeni retrieves the SSL certificates configured on an F5 BIG-IP DNS device and analyzes them: checking their expiration date, their validity (are they self-signed or signed by an internal CA?), etc.