NimbostratusUsing AS3 for CSR(via Venafi), VIP, and GSLB
Hello All, I would like to automate requesting BIG-IQ to generate a CSR request via Venafi integration. Have the cert signed by Venafi. Create a complete VIP setup with the certificate. Create GSLB for this new VIP. All via the AS3 interface. I used chatgpt and it outputted the below steps and wondering if this is on the right track.
F5 BIG-IQ and Venafi Integration with GSLB Configuration - Complete Steps
Step 1: Generate CSR via F5 BIG-IQ API (with SAN)
In this step, we will generate a CSR (Certificate Signing Request) using F5 BIG-IQ’s API. This CSR will include SAN (Subject Alternative Names) as required.
API Call to Generate CSR:
POST https://big-iq.example.com/mgmt/cm/certificates/requests
Authorization: Bearer <f5_token>
Content-Type: application/json
{
"command": "generate",
"name": "exampleCertRequest",
"commonName": "example.com",
"keyType": "rsa",
"keySize": 2048,
"subjectAlternativeNames": [
"www.example.com",
"api.example.com"
],
"organization": "ExampleOrg",
"organizationalUnit": "IT",
"country": "US",
"locality": "San Francisco",
"state": "CA"
}
Step 2: Submit CSR to Venafi via F5 BIG-IQ API
After generating the CSR, submit it to Venafi for signing using F5 BIG-IQ’s built-in Venafi integration.
API Call to Submit CSR via F5’s Venafi Integration:
POST https://big-iq.example.com/mgmt/cm/certificates/requests/<CSR-ID>/submit
Authorization: Bearer <f5_token>
Content-Type: application/json
{
"caReference": "/mgmt/shared/venafi/venafi-instance",
"requestType": "new",
"zone": "exampleZone",
"validityPeriod": "P1Y"
}
Step 3: Check Status of the Certificate Request
You can track the status of the certificate request to see when it is signed by Venafi.
API Call to Check CSR Status:
GET https://big-iq.example.com/mgmt/cm/certificates/requests/<CSR-ID>
Authorization: Bearer <f5_token>
Step 4: Retrieve the Signed Certificate
Once the certificate has been signed by Venafi, you can retrieve it using the following API.
API Call to Retrieve Signed Certificate:
GET https://big-iq.example.com/mgmt/cm/certificates/requests/<CSR-ID>/certificate
Authorization: Bearer <f5_token>
Step 5: Create the Entire VIP Configuration Using AS3
This combined AS3 declaration will define the full VIP configuration, including SSL, pool members, health monitors, and load balancing.
AS3 Declaration:
{
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "VIPWithSSL",
"tenant": {
"class": "Tenant",
"application": {
"class": "Application",
"template": "generic",
"myCert": {
"class": "Certificate",
"certificate": "/Common/signedCert.crt",
"privateKey": "/Common/privateKey.key"
},
"clientSSL": {
"class": "SSL_Profile_Client",
"certificates": [
{
"certificate": "myCert"
}
]
},
"myPool": {
"class": "Pool",
"monitors": [
{
"use": "/Common/http"
}
],
"members": [
{
"serverAddresses": [
"10.0.0.1"
],
"servicePort": 80
},
{
"serverAddresses": [
"10.0.0.2"
],
"servicePort": 80
},
{
"serverAddresses": [
"10.0.0.3"
],
"servicePort": 80
}
],
"loadBalancingMode": "least-connections-node"
},
"myVIP": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.2.10"
],
"virtualPort": 443,
"pool": "myPool",
"sslProfile": {
"client": "clientSSL"
}
}
}
}
}
Step 6: Configure GSLB Pool Using AS3 (FQDN and Ratio Load Balancing)
This step sets up a GSLB pool using FQDN-based members and the ratio load balancing algorithm.
AS3 Declaration for GSLB Pool:
{
"class": "GSLB_Pool",
"members": [
{
"server": "server1.example.com",
"ratio": 5
},
{
"server": "server2.example.com",
"ratio": 3
}
],
"loadBalancingMode": "ratio"
}