F5 Venafi Solution for Enterprise Key and Certificate Management

Solution Overview

 

 If you have deployed multiple BIG-IP systems to protect your business applications, you know how complex—and important—the certificate and key management process is. Certificates and keys play a critical role in securing data and application identity, and any mismanagement represents a significant risk to security and overall operations.

 

F5 has partnered with Venafi, the industry leader in machine identity protection, to develop a BIG-IQ based integrated solution that automates the certificate and key management lifecycle—creating certificate requests, retrieving and managing certificates and keys, and overseeing their distribution to multiple BIG-IP systems. This comprehensive solution enables our customers to simplify and centralize the control of this crucial process while maintaining high levels of security.

 

Solution Deployment

 

 F5 BIG-IQ is at the core of this integrated solution, automating management of the entire key and certificate lifecycle. BIG-IQ establishes a secure control channel with Venafi Trust Protection Platform (TPP) for certificate signing requests and enrollment. Once the certificates are signed and received from Venafi TPP, BIG-IQ enables you to assign them to the virtual servers and securely provision them to BIG-IP systems.

 

 

 

 

Bill of materials

 

  • F5 BIG-IQ, managing BIG-IP systems
  • Venafi Trust Protection Platform (TPP)

 

Deployment Steps

 

 Before beginning the detailed configuration, we recommend verifying the network reachability and hostname resolution of Venafi TPP server from BIG-IQ.

 

Step-1: Add Venafi as third party CA provider in BIG-IQ

  • From the BIG-IQ management GUI, click on the Configuration tab and navigate to LOCAL TRAFFIC >> Certificate Management >> Third Party CA Management.
  • Click the Create button and select Venafi as the CA provider.
  • Enter the WebSDK URL and credentials to authenticate with Venafi.
  • Once configured, click the Test Connection button to verify BIG-IQ can reach Venafi TPP server.

  • Click the Save & Close button. The Venafi provider you added appears in the list.
  • Click the Edit Policy link of the new Venafi provider you added.
  • In the Policy Folder Path, type the path of the Venafi TPP where the certificates and keys are located, and then click the Get button.
  • BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or later), you have the option to rename the policies for easier identification by editing its nickname.
  • Click the Save & Close button.

 

Step-2: Create a CSR to get a signed certificate from Venafi

  •  Navigate to LOCAL TRAFFIC >> Certificate Management >> Certificates & Keys and click on the Create button.
  • Select ‘Venafi’ as the Issuer, and the policy folder.
  • Specify the Certificate and Key properties.
  • Click the Save & Close button. BIG-IQ generates the CSR and sends it to Venafi TPP for signed certificates and keys.

You can now assign this imported certificate to your managed BIG-IP VE devices.

 

Step-3: Assign the certificate and key to the application

  • Navigate to LOCAL TRAFFIC >> Profiles. Click the Create button.
  • Create a Client SSL Profile selecting the certificate and the key.
  •  Once configured, click the Save & Close button

  • Navigate to LOCAL TRAFFIC >> Virtual Servers. Click the Create button.
  • Create a virtual server and assign the client SSL profile.
  • Once configured, click the Save & Close button

 

Step-4: Deploy the configuration to a target BIG-IP System

  •  Click on the Deployment tab and navigate to EVALUATE & DEPLOY >> Local Traffic & Network.
  •  In Deployment section, Click the Create button.
  •  Select the Virtual Server object and Target Device- BIG-IP system. Click the Deploy button.

  •  Click on the configuration tab and navigate to LOCAL TRAFFIC >> Virtual Servers. You will see the virtual server has been successfully deployed to the target BIG-IP system.

 

Summary

 

 As this demonstration shows, BIG-IQ not only offers a centralized management solution for BIG-IP systems, it also provides a one stop solution for key and certificate lifecycle automation through its integration with Venafi TPP. This simple, easy-to-deploy solution enables you to deliver secure applications more quickly and effectively, whether on-premises or on cloud.

 

Additional Links

Updated Nov 09, 2022
Version 2.0
  • MattM's avatar
    MattM
    Icon for Nimbostratus rankNimbostratus

    ​Looking to get some help with this integration.  I have followed the directions to a tee.  Question is this.  When the F5 BIGIQ submits the request to Venafi for a certificate, we usually have an approval workflow set up in Venafi and it may take up to an hour for someone to approve the certificate.  How will the F5 BigIQ handle this scenario?  Is it expecting an immediate response from the Venafi API or will it wait an check in?  Need some better documentation on this.  We also have our Venafi policy folders set to not allow users to submit their own. CSRS, we want the keys to be stored in Venafi.  But in this case the BIG IP is submitting the CSR/key.  How will it handle that?  Any help is appreciated.