LATEST VERSION: 1.9 - CHANGELOG
IPsec Add-On for PCF v1.8

Checking Certificate Dates

Page last updated:

This topic describes how to check the expiration dates of IPsec certificates.

The following procedure describes how to download the runtime configuration file and extract the two IPsec certificates into temporary files. Then, the files are input to the OpenSSL tool. The OpenSSL tool decodes the certificates and displays the expiration dates.

Check Certificate Dates

Follow the steps below to determine the expiration dates of your IPsec certificates.

  1. Log in to BOSH Director.

  2. Run one of the following commands to download your runtime configuration YAML file:

    • For Ops Manager v1.10 or earlier: bosh runtime-config > PATH-TO-SAVE-THE-RUNTIME-CONFIG
    • For Ops Manager v1.11 or later: bosh2 -e BOSH-ENVIRONMENT runtime-config --name=ipsec > PATH-TO-SAVE-THE-RUNTIME-CONFIG

    For example,

    bosh runtime-config > /tmp/my-runtime-config.yml

  3. Display the runtime configuration YAML file so that you can copy from it.

    For example,

     $ cat  /tmp/my-runtime-config.yml 

  4. Identify the section of the file that contains IPsec properties, and locate the certificates:

    addons:
    - include:
        stemcell:
        - os: ubuntu-trusty
      jobs:
      - name: ipsec
        release: ipsec
      name: ipsec
      properties:
        ipsec:
          ca_certificates:
          - |
            -----BEGIN CERTIFICATE-----
            MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNjYTEw
             HhcNMTYwNTI2MjI1MDMzWhcNMjYwNTI2MjI1MDQyWjAOMQwwCgYDVQQDEwNjYTEw
             ...     
             Axu2pbEoT1PrMd3HlAZ3AH8ZrMR3ScJKCW3wQFRX/Plj
            -----END CERTIFICATE-----
          instance_certificate: |
            -----BEGIN CERTIFICATE-----
            MIIEGTCCAgGgAwIBAgIQDlqK1V54BEknnblVPXu5lzANBgkqhkiG9w0BAQsFADAO
            MQwwCgYDVQQDEwNjYTEwHhcNMTYwNTI2MjI1MTAzWhcNMTgwNTI2MjI1MTAzWjAQ
            MQ4wDAYDVQQDEwVjZXJ0MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
            ... 
            4Q6P/cDn9QvW2QbbWkApP2uuMk04jWJV7p79CfX4pipPqiSofjFyFqsjjvir
            -----END CERTIFICATE-----
    
  5. Copy the ca_certificate into a text file. Retain the header and footer, but delete the leading white space before the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

    For example,

    -----BEGIN CERTIFICATE-----
        MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNjYTEw
        HhcNMTYwNTI2MjI1MDMzWhcNMjYwNTI2MjI1MDQyWjAOMQwwCgYDVQQDEwNjYTEw
     ...
        Axu2pbEoT1PrMd3HlAZ3AH8ZrMR3ScJKCW3wQFRX/Plj
    -----END CERTIFICATE-----
     

  6. Save the file with the PEM extension, for example, my-ipsec-ca-cert.pem.

  7. Run the following command:

    openssl x509 -text -inform pem -in /PATH/FILENAME.pem | grep "Not After"

    Where /PATH/FILENAME.pem is the path to and filename of the file you saved in the step above.

    For example,

    $ openssl x509 -text -inform pem -in /tmp/my-ipsec-ca-cert.pem | grep "Not After"
             Not After : May 26 22:50:42 2026 GMT
    

    If the PEM file is correctly formatted, the output shows a line with the Not After date.

    If the PEM file is not correctly formatted, The output shows unable to load certificate.

  8. Repeat steps 5–7 for the instance_certificate.

  9. Review the Not After date and plan to replace the certificates accordingly.

    Keep in mind the lead time to obtain new certificates and the time to perform a deployment to apply them.

    For information, see Rotating Active IPsec Certificates.

  10. For security hygiene, delete three temporary files that you created: the downloaded copy of the runtime-config.yml which contains the private key and the two PEM files that contain the certificates.

Create a pull request or raise an issue on the source for this page in GitHub