Checking Certificate Dates
Page last updated:
This topic describes how to check the expiration dates of IPsec certificates.
The following procedure describes how to download the runtime configuration file and extract the two IPsec certificates into temporary files. Then, the files are input to the OpenSSL tool. The OpenSSL tool decodes the certificates and displays the expiration dates.
Check Certificate Dates
Follow the steps below to determine the expiration dates of your IPsec certificates.
Log in to BOSH Director.
Run one of the following commands to download your runtime configuration YAML file:
- For Ops Manager v1.10 or earlier:
bosh runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG
- For Ops Manager v1.11 or later:
bosh2 -e BOSH-ENVIRONMENT runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG
For example,
bosh2 runtime-config > /tmp/my-runtime-config.yml
- For Ops Manager v1.10 or earlier:
Display the runtime configuration YAML file so that you can copy from it.
For example,
$ cat /tmp/my-runtime-config.yml
Identify the section of the file that contains IPsec properties, and locate the certificates:
addons: - include: stemcell: - os: ubuntu-trusty jobs: - name: ipsec release: ipsec name: ipsec properties: ipsec: ca_certificates: - | -----BEGIN CERTIFICATE----- MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNjYTEw HhcNMTYwNTI2MjI1MDMzWhcNMjYwNTI2MjI1MDQyWjAOMQwwCgYDVQQDEwNjYTEw ... Axu2pbEoT1PrMd3HlAZ3AH8ZrMR3ScJKCW3wQFRX/Plj -----END CERTIFICATE----- instance_certificate: | -----BEGIN CERTIFICATE----- MIIEGTCCAgGgAwIBAgIQDlqK1V54BEknnblVPXu5lzANBgkqhkiG9w0BAQsFADAO MQwwCgYDVQQDEwNjYTEwHhcNMTYwNTI2MjI1MTAzWhcNMTgwNTI2MjI1MTAzWjAQ MQ4wDAYDVQQDEwVjZXJ0MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ... 4Q6P/cDn9QvW2QbbWkApP2uuMk04jWJV7p79CfX4pipPqiSofjFyFqsjjvir -----END CERTIFICATE-----
Copy the ca_certificate into a text file. Retain the header and footer, but delete the leading white space before the
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
lines.For example,
-----BEGIN CERTIFICATE----- MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNjYTEw HhcNMTYwNTI2MjI1MDMzWhcNMjYwNTI2MjI1MDQyWjAOMQwwCgYDVQQDEwNjYTEw ... Axu2pbEoT1PrMd3HlAZ3AH8ZrMR3ScJKCW3wQFRX/Plj -----END CERTIFICATE-----
Save the file with the PEM extension, for example,
my-ipsec-ca-cert.pem
.Run the following command:
openssl x509 -text -inform pem -in /PATH/FILENAME.pem | grep "Not After"
Where
/PATH/FILENAME.pem
is the path to and filename of the file you saved in the step above.For example,
$ openssl x509 -text -inform pem -in /tmp/my-ipsec-ca-cert.pem | grep "Not After" Not After : May 26 22:50:42 2026 GMT
If the PEM file is correctly formatted, the output shows a line with the
Not After
date.If the PEM file is not correctly formatted, The output shows
unable to load certificate
.Repeat steps 5–7 for the instance_certificate.
Review the
Not After
date and plan to replace the certificates accordingly.Keep in mind the lead time to obtain new certificates and the time to perform a deployment to apply them.
For information, see Rotating Active IPsec Certificates.
For security hygiene, delete three temporary files that you created: the downloaded copy of the
runtime-config.yml
which contains the private key and the two PEM files that contain the certificates.