Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
lawrencegt's avatar
lawrencegt
Icon for Nimbostratus rankNimbostratus
Nov 04, 2024

Thanks Kevin, I'll have to have a play by the sounds of it! Thanks for your response, much appreciated. 

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 13, 2024

lawrencegt 

Kojot is a BIG-IP wrapper for Dehydrated, and as such allows some of the underlying flags to fall through. The one that's actually useful here is the -d (--domain) flag for adding SAN values to the certificate. I've updated the Global Configuration table to list this option.

www.baz.com := --ca https://acme.locallab.com:9000/directory -a rsa -d foo.baz.com -d bar.baz.com

This will add www.baz.com as the subject CN, and www.baz.com, foo.baz.com, and bar.baz.com as SAN values. This option works for new (non-existent) certificates. Renewal operations will maintain the SAN values from the existing certificate.

 

  • Frank_Reininga's avatar
    Frank_Reininga
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2025

    Hi Kevin/Jason,

    Nice tool and works like a charm. With regards to the SAN values. Is updating SAN fields something that will be added in the future? And partitions are not supported right? All certificates are created in Common? 

    These were the 2 things I ran into while testing. Thanks for this nice tool.

    Regards,

    Frank

    • Kevin_Stewart's avatar
      Kevin_Stewart
      Icon for Employee rankEmployee
      Jan 23, 2025

      By "updating SAN fields" are you referring to the limitation mentioned in the previous comment, that renewal operations will maintain the SAN values from the existing certificate?

      As for partition support, that was never intended. But it could relatively easy to add.

       

      • Frank_Reininga's avatar
        Frank_Reininga
        Icon for Nimbostratus rankNimbostratus
        Jan 23, 2025

        Yes, correct. When SAN domains needs updating it would mean an outage right? Remove ssl certificate from the profile, remove certificate and then new request with updated SAN domains.

        Partition support would be great. Can I create feature request at github?