Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
Mario_Franco's avatar
Mario_Franco
Icon for Altocumulus rankAltocumulus
Jul 30, 2024

Excellent, but I wonder if this script could work with any CA. A few years ago, I configured a script that works with Let's Encrypt, and the entire script is on the BigIP. However, it doesn't work with other CAs, and some clients want to use ACME with other CAs, like DigiCert or Sectigo

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 30, 2024

This script is intended to work with the http-01 specification of RFC 8555, which Let's Encrypt adheres to. Other public ACMEv2 providers include ZeroSSL, BuyPass, SSL.com, Sectigo, and Google ACMEv2. The script was also tested extensively with "local" ACMEv2 servers (Pebble and SmallStep Step-CA).

It's important to point out here that CAs have to support ACMEv2 for this to work, which is the list I've included above. To my knowledge, DigiCert, Symantec, Comodo, GoDaddy, GlobalSign (and I'm sure others) have yet to implement the ACMEv2 protocol. For those, you'd want to use the built-in Certificate Order Management feature in BIG-IP.