Automating ACMEv2 Certificate Management on BIG-IP
While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol describes a system for automating the renewal of PKI certificates. The ACME protocol can be used with public services like Let's Encrypt, but also with internal certificate management services. In this article we explore the more generic support of ACME (version 2) on the F5 BIG-IP.
Hi, looking at implementing this at some point soon. Happy to see I can use EAB key hmac etc. One thing, on the kojot-acme page, i don't see any examples of how to include a SAN on your examples. All of our certs typically have a long organistation fqdn, then a shorter one for people to use. Think "SuperLongExampleComany.com" vs "slec.com" so it's a deal breaker to use for us to have.
Thanks for you work.
- Kevin_StewartNov 01, 2024Employee
You make a good point. The config anchors on the domain name of the cert and intentionally copies the SANs from existing certs in the renewal. However, it doesn't have a provision for specifying SAN values for a new cert. The simplest thing would be to create a self-signed cert with all of the needed SANs and then point your config at this. The Kojot script would overwrite this with an issued cert, keeping all of the SAN values. But I can definitely look into adding this feature.
- lawrencegtNov 04, 2024Nimbostratus
Thanks Kevin, I'll have to have a play by the sounds of it! Thanks for your response, much appreciated.
- Kevin_StewartNov 13, 2024Employee
Kojot is a BIG-IP wrapper for Dehydrated, and as such allows some of the underlying flags to fall through. The one that's actually useful here is the -d (--domain) flag for adding SAN values to the certificate. I've updated the Global Configuration table to list this option.
www.baz.com := --ca https://acme.locallab.com:9000/directory -a rsa -d foo.baz.com -d bar.baz.com
This will add www.baz.com as the subject CN, and www.baz.com, foo.baz.com, and bar.baz.com as SAN values. This option works for new (non-existent) certificates. Renewal operations will maintain the SAN values from the existing certificate.