Forum Discussion
12 Replies
- Seth_CooperEmployee
I don't know of any tool but you could think of using a wild card cert if possible.
Also does your CA allow auto enrollment or generation of certificates? You could script writing out a whole bunch of CSR but you would have to find out if your CA is able to accommodate requesting a certificate like this. If so then just writing simple shell scripts you should be able to generate a CSR, send the request to the CA, import the certificate via tmsh then modify the virtual to use the new cert.
Just a theory and I have not tested any of this so you will need to investigate in your environment.
Seth
- johnestate_1382Nimbostratus
@Seth thank you for the immediate reply, however wildcard cert is not an option. @Uni thank you for sharing solution link, however I am already doing the same but can you imagine updating 2000 cert every two year...now about half of them are yearly...so...my whole time is spent around renewing cert and updating LTMs and these are no self-signed these are CA certs...yes don't ask me why...but that is true..so wondering if there is any way to automate that process. Thank you.
- Seth_CooperEmployee
What CA are you using to generate your certs? I don't think this limitation is going to be the BigIP but more than likely a limitation of your CA.
Seth
- johnestate_1382Nimbostratus
wow...I just realized I haven't checked this account for long time....Whoops...so it's CA issue right. The regular SSL cert renewal is to generate new csr - cert - upload - apply .....now this process we need to follow almost 2000 times...
Hi Johnestate,
- johnestate_1382Nimbostratus
Thank you Stephan for adding detailed process - so CSR process on external tool - importing cert and chain to F5, applying it to virtual...this is all tedious manual work and I believe as we go on we would be using more and more SSL/HTTPS traffic instead of HTTP so SSL cert that even smaller companies would be large portion of their work....so wanted to know if there is anyway to automate SSL cert management either commercial or open source application or even writing code/script....
- Hi johnestate, in case I had to handle 2k cert renewals I would definitely invest into a commercial solution or spend some time in writing a script. The summary above is a first shot how it could look like. By now I haven´t touched BIG-IQ and perhaps your peers at F5 can give a demo or tell if the aspect of certificate handling is included or planned to be. I saw a demo of AppViewX a while ago (they are partnering with F5 and are providing a 3rd party management application for ADCs) but cannot remember, if this aspect is covered. If not, they seem to flexible enough to build something quickly. Certificate handling is a very sensitive task. Piping all private keys through an external tool written by somebody else requires high attention. Ideally private keys never leave your BIG-IPs except for backup in a password protected .ucs archive. Btw, I just entered the search term "certificate authority certificate request application programming interface" and got a hit. So obviously some certificate authorities are prepared to handle this process in an automated way. Anyway, my first choice would be an own scripted solution and if there is some spare time, I will try to write some lines. How are you currently handling this process? Using the WebUI or CLI (openssl or tmsh) based CSR generation? Import to TMOS filestore (assuming you are on TMOS v11 already) via WebUI or CLI (tmsh)? Replacement of cert, key and chain in client-ssl profile via WebUI or CLI (tmsh)? Using a database to handle certificate parameters? Thanks, Stephan
- johnestate_1382Nimbostratus
Thank you Stephan, today we manage all our LB deployment/troubleshooting using CLI (found several GUI bugs) and use external SSL management for CSR, Key and CA certificates...but appreciate mentioning AppViewX, I was actually looking at this solution perhaps easier way to manage the certificates and renewals.
I recently participated in a live demo of AppViewX and they spent a significant amount of time regarding SSL Certificates and replacement automation. They claim to have support for automating certificate renewals with some of the major certificate authorities. I would recommend checking them out and see if they fit your needs.
- verleihnixNimbostratus
Hi johnestate,
did you find a solution for your problem? We're currently also looking into automation.
Would be great to share your experience.
thanks verleihnix