F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
lawrencegt's avatar
lawrencegt
Icon for Nimbostratus rankNimbostratus
Nov 01, 2024

Hi, looking at implementing this at some point soon. Happy to see I can use EAB key hmac etc. One thing, on the kojot-acme page, i don't see any examples of how to include a SAN on your examples. All of our certs typically have a long organistation fqdn, then a shorter one for people to use. Think "SuperLongExampleComany.com" vs "slec.com" so it's a deal breaker to use for us to have. 
Thanks for you work.

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 01, 2024

You make a good point. The config anchors on the domain name of the cert and intentionally copies the SANs from existing certs in the renewal. However, it doesn't have a provision for specifying SAN values for a new cert. The simplest thing would be to create a self-signed cert with all of the needed SANs and then point your config at this. The Kojot script would overwrite this with an issued cert, keeping all of the SAN values. But I can definitely look into adding this feature.

  • lawrencegt's avatar
    lawrencegt
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2024

    Thanks Kevin, I'll have to have a play by the sounds of it! Thanks for your response, much appreciated. 

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Nov 13, 2024

      lawrencegt 

      Kojot is a BIG-IP wrapper for Dehydrated, and as such allows some of the underlying flags to fall through. The one that's actually useful here is the -d (--domain) flag for adding SAN values to the certificate. I've updated the Global Configuration table to list this option.

      www.baz.com := --ca https://acme.locallab.com:9000/directory -a rsa -d foo.baz.com -d bar.baz.com

      This will add www.baz.com as the subject CN, and www.baz.com, foo.baz.com, and bar.baz.com as SAN values. This option works for new (non-existent) certificates. Renewal operations will maintain the SAN values from the existing certificate.

       

      • Frank_Reininga's avatar
        Frank_Reininga
        Icon for Nimbostratus rankNimbostratus
        Jan 23, 2025

        Hi Kevin/Jason,

        Nice tool and works like a charm. With regards to the SAN values. Is updating SAN fields something that will be added in the future? And partitions are not supported right? All certificates are created in Common? 

        These were the 2 things I ran into while testing. Thanks for this nice tool.

        Regards,

        Frank