Automating ACMEv2 Certificate Management on BIG-IP

While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol describes a system for automating the renewal of PKI certificates. The ACME protocol can be used with public services like Let's Encrypt, but also with internal certificate management services. In this article we explore the more generic support of ACME (version 2) on the F5 BIG-IP.

Introduction Back in March of 2023, Google proposed a significant reduction in the lifespan of Internet certificates, from the average 13 months down to just 90 days. No firm date was set for this ...
Published Apr 04, 2024
Version 1.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee

You make a good point. The config anchors on the domain name of the cert and intentionally copies the SANs from existing certs in the renewal. However, it doesn't have a provision for specifying SAN values for a new cert. The simplest thing would be to create a self-signed cert with all of the needed SANs and then point your config at this. The Kojot script would overwrite this with an issued cert, keeping all of the SAN values. But I can definitely look into adding this feature.

lawrencegt's avatar
lawrencegt
Icon for Nimbostratus rankNimbostratus
Nov 04, 2024

Thanks Kevin, I'll have to have a play by the sounds of it! Thanks for your response, much appreciated. 

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Nov 13, 2024

    lawrencegt 

    Kojot is a BIG-IP wrapper for Dehydrated, and as such allows some of the underlying flags to fall through. The one that's actually useful here is the -d (--domain) flag for adding SAN values to the certificate. I've updated the Global Configuration table to list this option.

    www.baz.com := --ca https://acme.locallab.com:9000/directory -a rsa -d foo.baz.com -d bar.baz.com

    This will add www.baz.com as the subject CN, and www.baz.com, foo.baz.com, and bar.baz.com as SAN values. This option works for new (non-existent) certificates. Renewal operations will maintain the SAN values from the existing certificate.