Automating ACMEv2 Certificate Management on BIG-IP

While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol describes a system for automating the renewal of PKI certificates. The ACME protocol can be used with public services like Let's Encrypt, but also with internal certificate management services. In this article we explore the more generic support of ACME (version 2) on the F5 BIG-IP.

Introduction Back in March of 2023, Google proposed a significant reduction in the lifespan of Internet certificates, from the average 13 months down to just 90 days. No firm date was set for this ...
Published Apr 04, 2024
Version 1.0
ACME
ACMEv2
certificate
Let's Encrypt
security
lawrencegt's avatar
lawrencegt
Icon for Nimbostratus rankNimbostratus

Hi, looking at implementing this at some point soon. Happy to see I can use EAB key hmac etc. One thing, on the kojot-acme page, i don't see any examples of how to include a SAN on your examples. All of our certs typically have a long organistation fqdn, then a shorter one for people to use. Think "SuperLongExampleComany.com" vs "slec.com" so it's a deal breaker to use for us to have. 
Thanks for you work.

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 01, 2024

You make a good point. The config anchors on the domain name of the cert and intentionally copies the SANs from existing certs in the renewal. However, it doesn't have a provision for specifying SAN values for a new cert. The simplest thing would be to create a self-signed cert with all of the needed SANs and then point your config at this. The Kojot script would overwrite this with an issued cert, keeping all of the SAN values. But I can definitely look into adding this feature.

  • lawrencegt's avatar
    lawrencegt
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2024

    Thanks Kevin, I'll have to have a play by the sounds of it! Thanks for your response, much appreciated. 

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Nov 13, 2024

      lawrencegt 

      Kojot is a BIG-IP wrapper for Dehydrated, and as such allows some of the underlying flags to fall through. The one that's actually useful here is the -d (--domain) flag for adding SAN values to the certificate. I've updated the Global Configuration table to list this option.

      www.baz.com := --ca https://acme.locallab.com:9000/directory -a rsa -d foo.baz.com -d bar.baz.com

      This will add www.baz.com as the subject CN, and www.baz.com, foo.baz.com, and bar.baz.com as SAN values. This option works for new (non-existent) certificates. Renewal operations will maintain the SAN values from the existing certificate.