Automating ACMEv2 Certificate Management on BIG-IP

While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol describes a system for automating the renewal of PKI certificates. The ACME protocol can be used with public services like Let's Encrypt, but also with internal certificate management services. In this article we explore the more generic support of ACME (version 2) on the F5 BIG-IP.

Introduction Back in March of 2023, Google proposed a significant reduction in the lifespan of Internet certificates, from the average 13 months down to just 90 days. No firm date was set for this ...
Published Apr 04, 2024
Version 1.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Mario_Franco's avatar
Mario_Franco
Icon for Altocumulus rankAltocumulus

Excellent, but I wonder if this script could work with any CA. A few years ago, I configured a script that works with Let's Encrypt, and the entire script is on the BigIP. However, it doesn't work with other CAs, and some clients want to use ACME with other CAs, like DigiCert or Sectigo

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 30, 2024

This script is intended to work with the http-01 specification of RFC 8555, which Let's Encrypt adheres to. Other public ACMEv2 providers include ZeroSSL, BuyPass, SSL.com, Sectigo, and Google ACMEv2. The script was also tested extensively with "local" ACMEv2 servers (Pebble and SmallStep Step-CA).

It's important to point out here that CAs have to support ACMEv2 for this to work, which is the list I've included above. To my knowledge, DigiCert, Symantec, Comodo, GoDaddy, GlobalSign (and I'm sure others) have yet to implement the ACMEv2 protocol. For those, you'd want to use the built-in Certificate Order Management feature in BIG-IP.