Symptoms
"tmsh run sys crypto check-cert" command reports expired certificates on BIG-IQ.
Impact
There is no impact besides the warning.
A different default certificate bundle is used for verifying certificates than the one reported by the "tmsh run sys crypto check-cert" call.
The tmsh command is meant to run on BIG-IP and does not check the correct certs on BIG-IQ.
Conditions
"tmsh run sys crypto check-cert" command is run on BIG-IQ
Workaround
Do not use the "tmsh run sys crypto check-cert" command on the BIG-IQ.
The cacerts truststore under /usr/lib/jvm/java-1.8.0.141-3.b16.el6_9.x86_64/jre/lib/security (in 5.4, 6.0.0, 6.0.1 and 6.1.0) contains the default ca certs, and the SSL Certificate Verification settings list the custom certs for validating when using provided certs for validation.
Expiration dates for those certs are presented in the grid of the certs imported for verifying hosts.
To view the details of the certs in the cacerts store, use the keytool tool from the command line:
/usr/lib/jvm/java-1.8.0.141-3.b16.el6_9.x86_64/jre/bin/keytool -list -v -keystore /usr/lib/jvm/java-1.8.0.141-3.b16.el6_9.x86_64/jre/lib/security/cacerts
You will need the password for the store, which is likely the default: changeit
Note that this default truststore will likely be updated in some subsequent BIG-IQ release.
