SSL certificate automation

Hi Johnestate,

 

the CSR process doesn´t need to be done on your F5 device.

 

An external tool can be used to create a new private key, create a new certificate signing request to be handed over to the certificate authority.

 

Now the private key, new signed certificate and chain (intermediate certificate authority) need to be imported to the TMOS filestore (assuming you are already on TMOS v11).

 

As uni already pointed out, the import to the filestore can be done on CLI.

 

With a fitting index-based naming convention (for naming client-ssl profiles and keys/certificates) I can imagine to use a generic script for this task:

 

- i.e. each client/service has a fixed numeric index,

 

- the associated client-ssl profile is using the same index in it´s name,

 

- certificate attributes (cn, ou, ...) for each services are hold in a comma separated list headed by the index and last date (universal format) of certificate creating,

 

- this list get´s parsed daily by a cronjob and openssl is used to create a new private key (file name with index and serial number), new csr based on newly generated key with attributes taken from the list

 

- manual part: forwarding of csr to certificate authority - manual part: putting the signed certificate back to a folder - daily cronjob is parsing the folder and using openssl to look into the newly signed certs common name, finds a match in the "database", uses the index to find the associated private key and imports this pair via tmsh to the BIG-IP I´m not aware of a ready-to-run solution and I understand your pain to keep such a number of certificates up to date.

 

Thanks, Stephan