Automating ACMEv2 Certificate Management on BIG-IP
While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol describes a system for automating the renewal of PKI certificates. The ACME protocol can be used with public services like Let's Encrypt, but also with internal certificate management services. In this article we explore the more generic support of ACME (version 2) on the F5 BIG-IP.
Excellent, but I wonder if this script could work with any CA. A few years ago, I configured a script that works with Let's Encrypt, and the entire script is on the BigIP. However, it doesn't work with other CAs, and some clients want to use ACME with other CAs, like DigiCert or Sectigo
- Kevin_StewartJul 30, 2024Employee
This script is intended to work with the http-01 specification of RFC 8555, which Let's Encrypt adheres to. Other public ACMEv2 providers include ZeroSSL, BuyPass, SSL.com, Sectigo, and Google ACMEv2. The script was also tested extensively with "local" ACMEv2 servers (Pebble and SmallStep Step-CA).
It's important to point out here that CAs have to support ACMEv2 for this to work, which is the list I've included above. To my knowledge, DigiCert, Symantec, Comodo, GoDaddy, GlobalSign (and I'm sure others) have yet to implement the ACMEv2 protocol. For those, you'd want to use the built-in Certificate Order Management feature in BIG-IP.