This topic tells you how to check the expiration dates of IPsec for VMware Tanzu certificates.

The following procedure describes how to download the runtime configuration file and extract the two IPsec certificates into temporary files. Then, the files are input to the OpenSSL tool. The OpenSSL tool decodes the certificates and displays the expiration dates.

Check Certificate Dates

Follow these steps to determine the expiration dates of your IPsec certificates:

1. Log in to BOSH Director.

2. Run the following command to download your runtime configuration YAML file:

   bosh -e BOSH-ENVIRONMENT runtime-config --name=ipsec > PATH-TO-SAVE-THE-RUNTIME-CONFIG
   

   For example:

   $ bosh runtime-config > /tmp/my-runtime-config.yml
   

3. Display the runtime configuration YAML file so that you can copy from it.

   For example:

   $ cat /tmp/my-runtime-config.yml
   

4. Identify the section of the file that contains IPsec properties, and locate the certificates:

   addons:
   - include:
       stemcell:
       - os: ubuntu-trusty
     jobs:
     - name: ipsec
       release: ipsec
       properties:
         ipsec:
           ca_certificates:
           - |
             -----BEGIN CERTIFICATE-----
             MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNjYTEw
              HhcNMTYwNTI2MjI1MDMzWhcNMjYwNTI2MjI1MDQyWjAOMQwwCgYDVQQDEwNjYTEw
              ...
              Axu2pbEoT1PrMd3HlAZ3AH8ZrMR3ScJKCW3wQFRX/Plj
             -----END CERTIFICATE-----
           instance_certificate: |
             -----BEGIN CERTIFICATE-----
             MIIEGTCCAgGgAwIBAgIQDlqK1V54BEknnblVPXu5lzANBgkqhkiG9w0BAQsFADAO
             MQwwCgYDVQQDEwNjYTEwHhcNMTYwNTI2MjI1MTAzWhcNMTgwNTI2MjI1MTAzWjAQ
             MQ4wDAYDVQQDEwVjZXJ0MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
             ...
             4Q6P/cDn9QvW2QbbWkApP2uuMk04jWJV7p79CfX4pipPqiSofjFyFqsjjvir
             -----END CERTIFICATE-----
     name: ipsec
   

5. Copy the ca_certificate into a text file. Retain the header and footer, but delete the leading white space before the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

   For example,

   -----BEGIN CERTIFICATE-----
           MIIE/TCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDEwNjYTEw
           HhcNMTYwNTI2MjI1MDMzWhcNMjYwNTI2MjI1MDQyWjAOMQwwCgYDVQQDEwNjYTEw
   ...
           Axu2pbEoT1PrMd3HlAZ3AH8ZrMR3ScJKCW3wQFRX/Plj
   -----END CERTIFICATE-----
   

6. Save the file with the PEM extension, for example, my-ipsec-ca-cert.pem.

7. Run the following command:

   openssl x509 -text -inform pem -in /PATH/FILENAME.pem | grep "Not After"
   

   Where /PATH/FILENAME.pem is the path to and filename of the file you saved in the step above.

   For example,

   $ openssl x509 -text -inform pem -in /tmp/my-ipsec-ca-cert.pem | grep "Not After"
            Not After : May 26 22:50:42 2026 GMT
   

   If the PEM file is correctly formatted, the output shows a line with the Not After date.

   If the PEM file is not correctly formatted, The output shows unable to load certificate.

8. Repeat steps 5 through 7 for the instance_certificate.

9. Review the Not After date and plan to replace the certificates accordingly.

   Keep in mind the lead time to obtain new certificates and the time to perform a deployment to apply them.

   For more information, see Rotating Active IPsec Certificates.

10. For security hygiene, delete three temporary files that you created: the downloaded copy of the runtime-config.yml, which contains the private key, and the two PEM files that contain the certificates.