Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
KarimBenyelloul's avatar
KarimBenyelloul
Icon for Cirrostratus rankCirrostratus
May 19, 2025

Hello, is there a way to automate the renewal of the management BIG-IP device certificate in a similar manner?

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 19, 2025

    By virtue of the http-01 validation process, the cert subject has to be resolvable by public DNS, and that resolved IP has to have an HTTP:80 listener on the public Internet that the ACMEv2 server can get to. And since a BIG-IP mgmt. UI should never be exposed to the Internet, it really isn’t practical to renew device certs this way. That said, there are at least two options worth mentioning:

    • Manage the cert in the traffic certs section, do dns-01 validation (doesn’t require an Internet HTTP:80 listener), and then use a separate script on the BIG-IP to move that updated cert from traffic certs section to device cert. Kojot would behave the same, you’d just need this additional script to move the new cert to device.
    • Host an internal ACMEv2 service and dns-01 – this solves for the public Internet access issue with http-01. You’d still need the script to move from traffic certs to device.
  • Arturo's avatar
    Arturo
    Icon for Employee rankEmployee
    May 19, 2025

    As Kevin rightly pointed out, using the ACME protocol—particularly the http-01 challenge—for renewing the BIG-IP management certificate is not practical. 

    While the dns-01 challenge offers a workaround (by validating ownership via DNS rather than HTTP), it still doesn’t directly solve the problem. Lot of devices does not have the hostname provided on the DNS server.

    That said, there is a more suitable solution available:

    A better and more secure alternative is to use a script-based approach that leverages the EST (Enrollment over Secure Transport) protocol. This method allows you to:

    • Authenticate securely to your internal certificate authority.
    • Request and retrieve new certificates over HTTPS.
    • Automatically install the renewed certificate on the BIG-IP management interface.

    This avoids public exposure and can be fully automated in environments where an internal PKI with EST support is available (e.g., Microsoft ADCS with EST proxy, EJBCA, etc.).

    If you’re managing BIG-IP devices at scale or aiming for a hands-off certificate lifecycle, this approach is recommended.

    • Ichnafi's avatar
      Ichnafi
      Icon for Cirrostratus rankCirrostratus
      Jun 10, 2025

      Hello Arturo,

      Are there any examples or additional articles that show how a script-based solution using EST would look like?