For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
richaed's avatar
richaed
Icon for Altostratus rankAltostratus
Dec 05, 2025

Hi, I would like to implement KOJOT-ACME on a shared BIG-IP hosting multiple users. Please allow me to ask the following questions:
・I am concerned that ACME-related traffic will concentrate and cause high load. How much load can be expected from certificate issuance, acquisition, and renewal?
・I understand that an ACMEv2 challenge iRule must be applied to the HTTP VIP. Please clarify whether a single ACME-dedicated VIP is sufficient, or if it must be applied to each user's VIP.

  • Frank_Reininga's avatar
    Frank_Reininga
    Icon for Nimbostratus rankNimbostratus
    Dec 05, 2025

    Hi Richaed,

    Regarding the load. I have not noticed the amount of traffic. Certificates are renewed in 1 after another. So this is very little.

    For the iRule. Depends on your CA. Currently we have CA with EAB account and challenge is not needed. If challenge is needed, this needs to be on every VIP port 80 before the ssl-redirect irule.