10-Oct-2019 04:56 - edited 09-Nov-2022 11:30
If you have deployed multiple BIG-IP systems to protect your business applications, you know how complex—and important—the certificate and key management process is. Certificates and keys play a critical role in securing data and application identity, and any mismanagement represents a significant risk to security and overall operations.
F5 has partnered with Venafi, the industry leader in machine identity protection, to develop a BIG-IQ based integrated solution that automates the certificate and key management lifecycle—creating certificate requests, retrieving and managing certificates and keys, and overseeing their distribution to multiple BIG-IP systems. This comprehensive solution enables our customers to simplify and centralize the control of this crucial process while maintaining high levels of security.
F5 BIG-IQ is at the core of this integrated solution, automating management of the entire key and certificate lifecycle. BIG-IQ establishes a secure control channel with Venafi Trust Protection Platform (TPP) for certificate signing requests and enrollment. Once the certificates are signed and received from Venafi TPP, BIG-IQ enables you to assign them to the virtual servers and securely provision them to BIG-IP systems.
Before beginning the detailed configuration, we recommend verifying the network reachability and hostname resolution of Venafi TPP server from BIG-IQ.
You can now assign this imported certificate to your managed BIG-IP VE devices.
As this demonstration shows, BIG-IQ not only offers a centralized management solution for BIG-IP systems, it also provides a one stop solution for key and certificate lifecycle automation through its integration with Venafi TPP. This simple, easy-to-deploy solution enables you to deliver secure applications more quickly and effectively, whether on-premises or on cloud.
Looking to get some help with this integration. I have followed the directions to a tee. Question is this. When the F5 BIGIQ submits the request to Venafi for a certificate, we usually have an approval workflow set up in Venafi and it may take up to an hour for someone to approve the certificate. How will the F5 BigIQ handle this scenario? Is it expecting an immediate response from the Venafi API or will it wait an check in? Need some better documentation on this. We also have our Venafi policy folders set to not allow users to submit their own. CSRS, we want the keys to be stored in Venafi. But in this case the BIG IP is submitting the CSR/key. How will it handle that? Any help is appreciated.