Skip to main content


Load balancer SSL certificate expiring soon (Automated)


Alert when the SSL certificate in a load balancer expires within 45 days. Rotate SSL certificates in a timely basis to ensure security and usability.


This policy checks for expiring certificates attached to both backend sets and listeners.


From Console:

  1. Login to OCI console.
  2. Select Networking from Services menu.
  3. Select Load Balancer from Networking menu.
  4. Click the name of a load balancer with an expiring SSL certificate.
  5. Click Certificates and the name of the certificate that is expiring.
  6. Click Renew Certificate.
  7. Set Not Valid After to a date of 45 days or more in the future.
  8. Click Renew Certificate.
  9. Repeat steps 4-8 for all load balancers with expiring certificates.

From CLI:

(Note: The OCI CLI does not currently have a means of renewing certificates, as per the console.)

  1. Execute the following command to get a list of load balancers:

    oci lb load-balancer list --compartment-id <compartment_ocid>
  2. For each load balancer, execute the following command to get the attached backend-sets:

    oci lb backend-set list --load-balancer-id <load_balancer_ocid>

    OCI CLI does not provide a command to allow to direct listing of listeners. You can extract them from the command in step 1, within the listeners element.

  1. For each backend set/listener, examine the ssl-configuration, extract the certificate-ids and execute the following command:

    oci certs-mgmt certificate get --certificate-id <certificate_ocid>
  2. If the date in time-of-validity-not-after is less than 45 days, then you must delete the certificate and create a new one, as follows:

    oci lb certificate delete --load-balancer-id <load_balancer_ocid> --certificate-name <certificate_name>


    oci lb certificate create --load-balancer-id <load_balancer_ocid> --certificate-name <certificate_name>