For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Automating ACMEv2 Certificate Management on BIG-IP

Introduction While we often associate and confuse Let's Encrypt with ACMEv2, the former is ultimately a consumer of the latter. The "Automated Certificate Management Environment" (ACME) protocol de...
Updated May 12, 2025
Version 2.0
ACME
ACMEv2
certificate
Let's Encrypt
security
Kevin_Stewart's avatar
Icon for Employee rankEmployee
Joined March 16, 2006
View Profile
JRahm's avatar
Icon for Admin rankAdmin
Christ Follower, Husband, Father, Technologist. I love community and I especially love THIS community. My background is networking, but I've dabbled in all the F5 iStuff, I'm a recovering Perl guy, and am very much a python enthusiast. Learning alongside all of you in this accelerating industry toward modern apps and architectures.
View Profile
richaed's avatar
richaed
Icon for Altocumulus rankAltocumulus
Dec 17, 2025

Some LBs generate CSRs on BIG-IP, while others do not.
Typically, the ACME client generates the key pair and CSR. However, if the customer provides a certificate with a pre-generated CSR to the LB, is it possible to configure the ACME client to skip CSR generation?
Also, in cases where the LB only imports a certificate provided by the customer, is there any benefit to using the ACME client?

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 17, 2025

On the first question, I'd generally say no. The ACME protocol specifically defines CSR generation as part of the interaction with the ACME service. It's probably possible to skip the CSR creation, but that defeats the purpose.

On the second, I'd also say no. ACME is intended for automated cert management. If you're providing the cert (manually), then ACME doesn't really play here.