Current real world need is to get information about a certificate that is applied to an LTM.

For Example: certificate is crt.2014.any.any.thezah.com

DETAILS ABOUT CERTIFICATE

If it comes back with something, then list the details of the cert by running the following command

tmsh list sys file ssl-cert /Common/*crt.2014.any.any.thezah.com.crt

WHAT PROFILE(s) CERTIFICATE IS MEMBER OF

Run the following to find the profiles

tmsh list /ltm profile client-ssl one-line |grep crt.2014.any.any.thezah.com.crt |awk -F" " '{ print $4 }'

WHAT VIRTUAL SERVERS THAT HAVE PROFILE(s)

tmsh list /ltm virtual /Development/* one-line |grep ssl.any.any.thezah.com |awk '{print $3,$6}'

Make sure you run the script against each Partition to find all relevant information.

The following command will tell you all partitions on the LTM

tmsh -c "cd /;list sys folder"

Thanks for the info. I use these commands a lot.

Quickly show all certificate information

tmsh list sys file ssl-cert /Common/*

Now show just the certificate names

tmsh list sys file ssl-cert /Common/* | grep '^sys'

Something I use that I didn't see was looking for certification Information like Serial Number. Many times a customer will want to know what certificate has a certain serial number and the following commands works well for me.

tmsh list sys file ssl-cert /Common/* | egrep 'sys|serial-number' | grep -B1 1277369427

Expiration Data is also good to know for the certificates

tmsh list sys file ssl-cert /Common/* | egrep 'sys|expiration-string' | grep -B1 expiration-string

Great thread... just adding some troubleshooting.

From the CLI you can use the following after you put the key & cert somewhere you can reach

openssl s_client -connect : -key  -cert 

REF: SOL14819

Here are some steps I use to verify the certificate is working and its not something else that's broken. (use this to see if my clients site is running at least Protocol TLSv1.2)

openssl s_client -connect maintenance-mod.thezah.com:443

 

I check out the Protocol to make sure its what I expect to see

You can also run the following

openssl s_client -host maintenance-mod.thezah.com -port 443

 

But to actually see what's going on you may want to take a capture of the transaction and then look at it with SSLDUMP.

So first create a capture file

tcpdump -ni 0.0. host 10.2.16.66 -w /var/tmp/maintenance-mod.cap

 

Now let's look at the handshake

ssldump -nr /var/tmp/maintenace-mod.cap  

 

Another example of using ssldump

ssldump  -Aed  -nr maintenace-mod.cap

 

ssldump -Aed -nr https12_test_ssldump.cap -k  / <.key>/

 

example:

ssldump -Aed -nr https12_test_ssldump.cap -k /config/filestore/files_d/Common_d/certificate_key_d/:Common:crt.any.any.int.thezah.com.2048.key_16758_1

 

To look at the SSL Authentication you can use openssl command

openssl verify -purpose sslclient -CAfile /path/to/root+chian-file /path/to/cert-file

 

On my box I would run

openssl verify -purpose sslclient -CAfile /config/filestore/files_d/Integration_d/certificate_d/:Integration:client.preprod.crm.thezah.com-root.crt_32816_1 /config/filestore/files_d/Integration_d/certificate_d/:Integration:client.preprod.crm.thezah.com-server.crt_32813_1

 

Generating the Private key

You need to create a private key before generating the CSR. You need the Openssl tool to create the private key and the CSR. The following command creates 2048 bit private key that is neither encrypted nor password protected.

openssl genrsa -out privkey.pem 2048  (sha128)
openssl genrsa -out privkey.pem 2048 -sha256 (sha256)

 

Generating the CSR

openssl req -new -key privkey.pem -out cert.csr

 

Sample output:

Quote

Country Name (2 letter code) (AU) :

US State or Province Name (full name) (Some-State):

California Locality Name (eg, city) ():

Mountain View Organization Name (eg, company) (Internet Widgits Pty Ltd):

ESO Organizational Unit Name (eg, section) ():

FrontLine Common Name (eg, YOUR name) ():

myhost.mydomain.com Email Address ():

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:

An optional company name []:

These commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS. NOTE: Openssl is installed on the LTM F5's.

**Entrust issues DER files in .crt file format.**

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

 

Convert a PEM file to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

 

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

 

(You can add -nocerts to only output the private key or add -nokeys to only output the certificates.)

Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)openssl pkcs12 -export -out certificate.pfx -inkey

privateKey.key -in certificate.crt -certfile CACert.crt

 

You can also use this link for conversions: https://www.sslshopper.com/ssl-converter.html

This command is useful to see which authentication bits are set, SHA algorithm, key size1028/2048, Common name, SAN's, expiration dates .....

openssl x509 -text -noout -purpose -in /path/certname

 

Example:

openssl x509 -text -noout -purpose -in /config/filestore/files_d/Common_d/certificate_d/:Common:crt.si.csr-access-cap1.int.thezah.com.2048.crt_16765_1 

 

Command will show the portion of the private key and its matching number in the cert

openssl rsa -noout -modulus -in /config/filestore/files_d/Development_d/certificate_key_d/:Development:crt.any.any.thezah.ca.2048.key_18692_2 | openssl md5

 

openssl x509 -noout -modulus -in /config/filestore/files_d/Development_d/certificate_d/:Development:crt.any.any.thezah.ca.2048.crt_18688_8 | openssl md5

 

openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

 

openssl s_client -connect 10.45.64.74:443 -cipher RC4-SHA