For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
KarimBenyelloul's avatar
KarimBenyelloul
Icon for Cirrostratus rankCirrostratus
May 19, 2025

Hello, is there a way to automate the renewal of the management BIG-IP device certificate in a similar manner?

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 19, 2025

By virtue of the http-01 validation process, the cert subject has to be resolvable by public DNS, and that resolved IP has to have an HTTP:80 listener on the public Internet that the ACMEv2 server can get to. And since a BIG-IP mgmt. UI should never be exposed to the Internet, it really isn’t practical to renew device certs this way. That said, there are at least two options worth mentioning:

  • Manage the cert in the traffic certs section, do dns-01 validation (doesn’t require an Internet HTTP:80 listener), and then use a separate script on the BIG-IP to move that updated cert from traffic certs section to device cert. Kojot would behave the same, you’d just need this additional script to move the new cert to device.
  • Host an internal ACMEv2 service and dns-01 – this solves for the public Internet access issue with http-01. You’d still need the script to move from traffic certs to device.