We have around 2000 certs that needs to renew every two year...which is really tiresome. Is there any tool to automate this process...?

I don't know of any tool but you could think of using a wild card cert if possible. Also does your CA allow auto enrollment or generation of certificates? You could script writing out a whole bunch of CSR but you would have to find out if your CA is able to accommodate requesting a certificate like this. If so then just writing simple shell scripts you should be able to generate a CSR, send the request to the CA, import the certificate via tmsh then modify the virtual to use the new cert. Just a theory and I have not tested any of this so you will need to investigate in your environment. Seth

You can generate CSRs and import certificates with tmsh. Have a look at sol14534

@Seth thank you for the immediate reply, however wildcard cert is not an option. @Uni thank you for sharing solution link, however I am already doing the same but can you imagine updating 2000 cert every two year...now about half of them are yearly...so...my whole time is spent around renewing cert and updating LTMs and these are no self-signed these are CA certs...yes don't ask me why...but that is true..so wondering if there is any way to automate that process. Thank you.

What CA are you using to generate your certs? I don't think this limitation is going to be the BigIP but more than likely a limitation of your CA. Seth

wow...I just realized I haven't checked this account for long time....Whoops...so it's CA issue right. The regular SSL cert renewal is to generate new csr - cert - upload - apply .....now this process we need to follow almost 2000 times...

SSL certificate automation

12 Replies

Seth_Cooper
Employee
Dec 11, 2014
I don't know of any tool but you could think of using a wild card cert if possible.

Also does your CA allow auto enrollment or generation of certificates? You could script writing out a whole bunch of CSR but you would have to find out if your CA is able to accommodate requesting a certificate like this. If so then just writing simple shell scripts you should be able to generate a CSR, send the request to the CA, import the certificate via tmsh then modify the virtual to use the new cert.

Just a theory and I have not tested any of this so you will need to investigate in your environment.

Seth
uni
Altostratus
Dec 12, 2014
You can generate CSRs and import certificates with tmsh. Have a look at sol14534
johnestate_1382
Nimbostratus
Dec 12, 2014
@Seth thank you for the immediate reply, however wildcard cert is not an option. @Uni thank you for sharing solution link, however I am already doing the same but can you imagine updating 2000 cert every two year...now about half of them are yearly...so...my whole time is spent around renewing cert and updating LTMs and these are no self-signed these are CA certs...yes don't ask me why...but that is true..so wondering if there is any way to automate that process. Thank you.
Seth_Cooper
Employee
Dec 12, 2014
What CA are you using to generate your certs? I don't think this limitation is going to be the BigIP but more than likely a limitation of your CA.

Seth
johnestate_1382
Nimbostratus
Feb 21, 2015
wow...I just realized I haven't checked this account for long time....Whoops...so it's CA issue right. The regular SSL cert renewal is to generate new csr - cert - upload - apply .....now this process we need to follow almost 2000 times...
StephanManthey
MVP
Feb 21, 2015
Hi Johnestate,

the CSR process doesn´t need to be done on your F5 device.

An external tool can be used to create a new private key, create a new certificate signing request to be handed over to the certificate authority.

Now the private key, new signed certificate and chain (intermediate certificate authority) need to be imported to the TMOS filestore (assuming you are already on TMOS v11).

As uni already pointed out, the import to the filestore can be done on CLI.

With a fitting index-based naming convention (for naming client-ssl profiles and keys/certificates) I can imagine to use a generic script for this task:

- i.e. each client/service has a fixed numeric index,

- the associated client-ssl profile is using the same index in it´s name,

- certificate attributes (cn, ou, ...) for each services are hold in a comma separated list headed by the index and last date (universal format) of certificate creating,

- this list get´s parsed daily by a cronjob and openssl is used to create a new private key (file name with index and serial number), new csr based on newly generated key with attributes taken from the list

- manual part: forwarding of csr to certificate authority - manual part: putting the signed certificate back to a folder - daily cronjob is parsing the folder and using openssl to look into the newly signed certs common name, finds a match in the "database", uses the index to find the associated private key and imports this pair via tmsh to the BIG-IP I´m not aware of a ready-to-run solution and I understand your pain to keep such a number of certificates up to date.

Thanks, Stephan
johnestate_1382
Nimbostratus
Feb 21, 2015
Thank you Stephan for adding detailed process - so CSR process on external tool - importing cert and chain to F5, applying it to virtual...this is all tedious manual work and I believe as we go on we would be using more and more SSL/HTTPS traffic instead of HTTP so SSL cert that even smaller companies would be large portion of their work....so wanted to know if there is anyway to automate SSL cert management either commercial or open source application or even writing code/script....
- StephanManthey
  MVP
  Feb 21, 2015
  Hi johnestate, in case I had to handle 2k cert renewals I would definitely invest into a commercial solution or spend some time in writing a script. The summary above is a first shot how it could look like. By now I haven´t touched BIG-IQ and perhaps your peers at F5 can give a demo or tell if the aspect of certificate handling is included or planned to be. I saw a demo of AppViewX a while ago (they are partnering with F5 and are providing a 3rd party management application for ADCs) but cannot remember, if this aspect is covered. If not, they seem to flexible enough to build something quickly. Certificate handling is a very sensitive task. Piping all private keys through an external tool written by somebody else requires high attention. Ideally private keys never leave your BIG-IPs except for backup in a password protected .ucs archive. Btw, I just entered the search term "certificate authority certificate request application programming interface" and got a hit. So obviously some certificate authorities are prepared to handle this process in an automated way. Anyway, my first choice would be an own scripted solution and if there is some spare time, I will try to write some lines. How are you currently handling this process? Using the WebUI or CLI (openssl or tmsh) based CSR generation? Import to TMOS filestore (assuming you are on TMOS v11 already) via WebUI or CLI (tmsh)? Replacement of cert, key and chain in client-ssl profile via WebUI or CLI (tmsh)? Using a database to handle certificate parameters? Thanks, Stephan
johnestate_1382
Nimbostratus
Feb 22, 2015
Thank you Stephan, today we manage all our LB deployment/troubleshooting using CLI (found several GUI bugs) and use external SSL management for CSR, Key and CA certificates...but appreciate mentioning AppViewX, I was actually looking at this solution perhaps easier way to manage the certificates and renewals.
JoshBecigneul
MVP
May 16, 2015
I recently participated in a live demo of AppViewX and they spent a significant amount of time regarding SSL Certificates and replacement automation. They claim to have support for automating certificate renewals with some of the major certificate authorities. I would recommend checking them out and see if they fit your needs.
verleihnix
Nimbostratus
Dec 21, 2015
Hi johnestate,

did you find a solution for your problem? We're currently also looking into automation.

Would be great to share your experience.

thanks verleihnix