Manual Chapter : Integrating Venafi with BIG-IQ for Certificate Management

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Integrating Venafi with BIG-IQ for Certificate Management

Integrating with Venafi for certificate and key management

F5 Networks and Venafi have partnered to provide a tightly-integrated solution for certificate and key management. Managing Venafi certificate requests through BIG-IQ automates laborious processes and reduces the amount of time you have to spend requesting and distributing certificates and keys to your managed devices. From BIG-IQ, you have a centralized view into the key and certificate life cycle for your BIG-IP devices in multi-cloud and local environments.
To maintain the security of sensitive information on your Venafi Trust Protection Platform information, BIG-IQ generates a new authorization key with each API call. The authorization key expires soon after each call, preventing attackers from gaining access by re-using older keys.

Add Venafi as a third-party CA provider

You'll need to configure your Venafi Trust Protection Platform before you add Venafi as a CA provider.
Add Venafi as a CA provider so you can send Certificate Signing Requests to Venafi to get certificates and keys for your BIG-IP devices from BIG-IQ.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC.
  3. On the left, click
    Certificate Management
    Third Party CA Management
    .
  4. Near the top of the screen, click the
    Create
    button.
  5. From the
    CA Providers
    list, select
    Venafi
    .
  6. In the
    Web SDK Endpoint
    field, type the address for the Venafi Web SDK endpoint BIG-IQ sends the CSR to.
  7. In the
    User Name
    and
    Password
    fields, type the user name and password for the Web SDK Endpoint.
  8. Click the
    Test Connection
    button to verify BIG-IQ can reach it.
    If you haven't yet configured the Venafi Trust Protection Platform, the test will fail.
  9. Click the
    Save & Close
    button at the bottom of the screen.
    The Venafi provider you added appears in the list.
  10. Click the
    Edit Policy
    link of the new Venafi provider you added.
  11. In the
    Policy Folder Path
    type the path of the Venafi Trust Protection Platform where the certificates and keys are located, and then click the
    Get
    button.
    BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or at a later time), you have the option to rename the policies for easier identification by editing its nickname.
  12. If you want to change the credentials of the Venafi Web SDK endpoint, click its name.
You can now add a Venafi CSR to send to Venafi to get certificates for your BIG-IP VE devices.

Create a CSR to get a signed certificate from Venafi

To automatically send a CSR from BIG-IQ, you must have selected
User Provided CSR
for the CSR Generation option when you configured the Venafi platform.
Create a Certificate Signing Request (CSR) on BIG-IQ to use to request certificates and keys from Venafi.
  1. At the top of the screen, click
    Traffic & Network
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Near the top of the screen, click the
    Create
    button.
  4. If the partition is anything other than
    Common
    , type it into the
    Partition
    field.
  5. In the Certificate Properties area, from the
    Issuer
    list, select the Venafi CA.
  6. From the
    Policy Folder
    list, select the policy you retrieved from Venafi.
  7. Specify the division and organization for the certificate.
  8. Complete the SSL certificate properties.
    A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the Subject Alternative Name field, use the format of a comma-separated list of name:value pairs.
  9. Click the
    Save & Close
    button at the bottom of the screen.
BIG-IQ generates the CSR and sends it to Verafin for signed certificates and keys. The signed certificate displays on the Certificate and Keys screen.
You can now assign this certificate to your managed BIG-IP VE devices.

Importing certificates and keys from Venafi

You must add Venafi as a third-party certificate authority before you can import certificates from Venafi.
Import certificates from Venafi so you can deploy them to your managed BIG-IP devices.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    Certificate Management
    Certificates & Keys
    .
  3. From the
    Import Type
    list, select
    Import from CA Providers
    .
  4. Select the check box next to
    Venafi
    , enter the passphrase, and click the
    Import
    button at the bottom of the screen.