Replacing SSL Cert/Key on Virtual Servers

Cowboy Denny · August 1, 2022

We have a task that requires doing bulk update (3000+ cert/keys in a short period of time) and this is what I'm thinking of on how to address this.

To get a list of all Virtual Servers with client ssl profile attached you can run the following command

# tmsh -q -c 'cd / ; list ltm virtual recursive profiles' | egrep 'ltm virtual |ssl.'

You should see an output similar to the one below

ltm virtual t_10.47.67.4/cims.hosangit.corp.443.tcp.app/cims.hosangit.corp.443.vs {
        Common/serverssl-insecure-compatible {
        t_10.47.67.4/cims.hosangit.corp.443.tcp.app/cims.hosangit.corp.c.ssl.pf {
ltm virtual t_10.47.67.5/personetics-cit1.hosangit.corp.443.tcp.app/personetics-cit1.hosangit.corp.443.vs {
        t_10.47.67.5/personetics-cit1.hosangit.corp.443.tcp.app/personetics-cit1.hosangit.corp.c.ssl.pf {
ltm virtual t_10.47.67.6/personetics-cit2.hosangit.corp.443.tcp.app/personetics-cit2.hosangit.corp.443.vs {
        t_10.47.67.6/personetics-cit2.hosangit.corp.443.tcp.app/personetics-cit2.hosangit.corp.c.ssl.pf {
ltm virtual t_10.47.67.7/personetics-cit3.hosangit.corp.443.tcp.app/personetics-cit3.hosangit.corp.443.vs {
        t_10.47.67.7/personetics-cit3.hosangit.corp.443.tcp.app/personetics-cit3.hosangit.corp.c.ssl.pf {
ltm virtual t_10.47.67.8/personetics-dev1.hosangit.corp.443.tcp.app/personetics-dev1.hosangit.corp.443.vs {
        t_10.47.67.8/personetics-dev1.hosangit.corp.443.tcp.app/personetics-dev1.hosangit.corp.c.ssl.pf {
ltm virtual t_10.47.67.9/personetics-dev2.hosangit.corp.443.tcp.app/personetics-dev2.hosangit.corp.443.vs {
        t_10.47.67.9/personetics-dev2.hosangit.corp.443.tcp.app/personetics-dev2.hosangit.corp.c.ssl.pf {
ltm virtual t_10.47.67.10/personetics-dev3.hosangit.corp.443.tcp.app/personetics-dev3.hosangit.corp.443.vs {
        t_10.47.67.10/personetics-dev3.hosangit.corp.443.tcp.app/personetics-dev3.hosangit.corp.c.ssl.pf {

You could also run the show vs list command like this

# tmsh -q -c 'cd / ; show ltm virtual recursive profiles' | egrep 'Ltm::Virtual Server:| Ltm::ClientSSL Profile:'

And the results would like similar

Ltm::Virtual Server: t_10.47.67.4/cims.hosangit.corp.443.tcp.app/cims.hosangit.corp.443.vs
  | Ltm::ClientSSL Profile: t_10.47.67.4/cims.hosangit.corp.443.tcp.app/cims.hosangit.corp.c.ssl.pf
Ltm::Virtual Server: t_10.47.67.5/personetics-cit1.hosangit.corp.443.tcp.app/personetics-cit1.hosangit.corp.443.vs
  | Ltm::ClientSSL Profile: t_10.47.67.5/personetics-cit1.hosangit.corp.443.tcp.app/personetics-cit1.hosangit.corp.c.ssl.pf
Ltm::Virtual Server: t_10.47.67.6/personetics-cit2.hosangit.corp.443.tcp.app/personetics-cit2.hosangit.corp.443.vs
  | Ltm::ClientSSL Profile: t_10.47.67.6/personetics-cit2.hosangit.corp.443.tcp.app/personetics-cit2.hosangit.corp.c.ssl.pf
Ltm::Virtual Server: t_10.47.67.7/personetics-cit3.hosangit.corp.443.tcp.app/personetics-cit3.hosangit.corp.443.vs
  | Ltm::ClientSSL Profile: t_10.47.67.7/personetics-cit3.hosangit.corp.443.tcp.app/personetics-cit3.hosangit.corp.c.ssl.pf
Ltm::Virtual Server: t_10.47.67.8/personetics-dev1.hosangit.corp.443.tcp.app/personetics-dev1.hosangit.corp.443.vs
  | Ltm::ClientSSL Profile: t_10.47.67.8/personetics-dev1.hosangit.corp.443.tcp.app/personetics-dev1.hosangit.corp.c.ssl.pf
Ltm::Virtual Server: t_10.47.67.9/personetics-dev2.hosangit.corp.443.tcp.app/personetics-dev2.hosangit.corp.443.vs
  | Ltm::ClientSSL Profile: t_10.47.67.9/personetics-dev2.hosangit.corp.443.tcp.app/personetics-dev2.hosangit.corp.c.ssl.pf
Ltm::Virtual Server: t_10.47.67.10/personetics-dev3.hosangit.corp.443.tcp.app/personetics-dev3.hosangit.corp.443.vs
  | Ltm::ClientSSL Profile: t_10.47.67.10/personetics-dev3.hosangit.corp.443.tcp.app/personetics-dev3.hosangit.corp.c.ssl.pf

There doesn't seem to be an easy to get identify cert/key/chain and expiration as well as common names.

Let's take the first client ssl profile: t_10.47.67.4/cims.hosangit.corp.443.tcp.app/cims.hosangit.corp.c.ssl.pf

tmsh list ltm profile client-ssl /t_10.47.67.4/cims.hosangit.corp.443.tcp.app/cims.hosangit.corp.c.ssl.pf

This is what we get which includes the cert and key

ltm profile client-ssl /t_10.47.67.4/cims.hosangit.corp.443.tcp.app/cims.hosangit.corp.c.ssl.pf {
    alert-timeout indefinite
    allow-expired-crl disabled
    app-service none
    authenticate once
    c3d-drop-unknown-ocsp-status drop
    c3d-ocsp none
    ca-file none
    cache-timeout 3600
    cert-key-chain {
        set0 {
            cert lb-cims.hosangit.corp
            key lb-cims.hosangit.corp
        }
    }
    cert-lookup-by-ipaddr-port disabled
    cipher-group none
    ciphers ALL:!TLSv1:!TLSv1_1:!DHE:!SHA:!MD5:!ADH:!EXPORT:!EXP
    client-cert-ca none
    crl-file none
    description none
    hostname-whitelist none
    inherit-ca-certkeychain false
    inherit-certkeychain false
    mode enabled
    ocsp-stapling disabled
    options { dont-insert-empty-fragments no-tlsv1.3 }
    peer-cert-mode ignore
    renegotiation enabled
    retain-certificate true
    server-name none
    sni-default true
    sni-require false
    ssl-c3d disabled
    ssl-forward-proxy disabled
    ssl-forward-proxy-bypass disabled
}

Using this example, now that we have the cert/key let's get some info on them

# tmsh run /sys crypto check-cert lb-cims.hosangit.corp verbose enabled
Dec 19 16:48:57 2030 GMT | CN=hosang IT Root CA,OU=Certification Authorities,O=hosang IT,C=US | /Common/lb-cims.hosangit.corp: OK
Nov  5 18:43:11 2023 GMT | CN=lb-cims.hosangit.corp,OU=SSL Servers,O=hosang IT,C=US | /Common/lb-cims.hosangit.corp: OK
Nov 19 19:10:43 2030 GMT | CN=hosang IT Issuing CA,OU=Certification Authorities,O=hosang IT,C=US | /Common/lb-cims.hosangit.corp: OK

Or maybe a better output would be

# tmsh list /sys crypto cert lb-cims.hosangit.corp
sys crypto cert lb-cims.hosangit.corp {
    cert-validation-options none
    cert-validators {
         { }
    }
    certificate-key-size 2048
    city
    common-name lb-cims.hosangit.corp
    country US
    email-address
    expiration Nov  5 18:43:11 2023 GMT
    fingerprint SHA256/4F:82:BD:15:95:B5:3A:31:8B:50:1B:67:45:B4:7C:2E:8D:E8:07:8D:A7:54:AC:79:0B:C6:1F:A4:76:9A:BD:D8
    issuer CN=hosang IT Issuing CA,OU=Certification Authorities,O=hosang IT,C=US
    issuer-certificate
    organization hosang IT
    ou SSL Servers
    public-key-type RSA
    state
    subject-alternative-name DNS:cims.hosangit.corp, DNS:lb-cims.hosangit.corp
}

Not sure if you need to or would want to get info about the key, I don't find any value, but if you want it you can run

# tmsh list /sys crypt key lb-cims.hosangit.corp
sys crypto key lb-cims.hosangit.corp {
    key-size 2048
    key-type rsa-private
    security-type normal
}

You can

find /config/filestore/files_d/*_d/certificate_d -name "*_*"    | egrep -v 'bundle|default|irule' | xargs -i  openssl  x509 -in {} -text  -noout -inform pem 2>&-

Or even better yet if you wanted info by Issuer

find /config/filestore/files_d/*_d/certificate_d -name "*_*"    | egrep -v 'bundle|default|irule' | xargs -i  openssl  x509 -in {} -text  -noout -inform pem 2>&- | awk '/Issuer:/,/Not After :/ {print $0}'

I haven't identified an easy way to identify ssl client profile, cert, key, chain attached, what virtual servers utilize ssl profile.

Sign In

F5

Replacing SSL Cert/Key on Virtual Servers

Recommended Posts

Cowboy Denny

Link to comment

Share on other sites

Browse

Activity

Store