F5 Logo MyF5
Search
  1. MyF5 Home
  2. Integrating Venafi with BIG-IQ for Certificate Management
  3. Integrating Venafi with BIG-IQ for Certificate Management
Manual Chapter : Integrating Venafi with BIG-IQ for Certificate Management

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0
Manual Chapter

Integrating Venafi with BIG-IQ for Certificate Management

Integrating with Venafi for certificate and key management

F5 Networks and Venafi have partnered to provide a tightly-integrated solution for certificate and key management. Managing Venafi certificate requests through BIG-IQ automates laborious processes and reduces the amount of time you have to spend requesting and distributing certificates and keys to your managed devices. From BIG-IQ, you have a centralized view into the key and certificate life cycle for your BIG-IP devices in multi-cloud and local environments.
To maintain the security of sensitive information on your Venafi Trust Protection Platform information, BIG-IQ generates a new authorization key with each API call. The authorization key expires soon after each call, preventing attackers from gaining access by re-using older keys.

Add Venafi as a third-party CA provider

You'll need to configure your Venafi Trust Protection Platform before you add Venafi as a CA provider.
Add Venafi as a CA provider so you can send Certificate Signing Requests to Venafi to get certificates and keys for your BIG-IP devices from BIG-IQ.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC.
  3. On the left, click
    Certificate Management
    Third Party CA Management
    .
  4. From the
    CA Providers
     list, select
    Venafi
    .
  5. Click
    Create
    .
  6. In the
    Web SDK Endpoint
     field, type the address for the Venafi Web SDK endpoint BIG-IQ sends the CSR to.
  7. In the
    User Name
     and
    Password
     fields, type the user name and password for the Web SDK Endpoint.
  8. Click the
    Test Connection
     button to verify BIG-IQ can reach it.
    If you haven't yet configured the Venafi Trust Protection Platform, the test will fail.
  9. Click the
    Save & Close
     button at the bottom of the screen.
    The Venafi provider you added appears in the list.
  10. Click the
    Edit Policy
     link of the new Venafi provider you added.
  11. In the
    Policy Folder Path
     type the path of the Venafi Trust Protection Platform where the certificates and keys are located, and then click the
    Get
     button.
    BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or at a later time), you have the option to rename the policies for easier identification by editing its nickname.
  12. If you want to change the credentials of the Venafi Web SDK endpoint, click its name.
You can now add a Venafi CSR to send to Venafi to get certificates for your BIG-IP VE devices.

Create a CSR to get a signed certificate from Venafi

To automatically send a CSR from BIG-IQ, you must have selected
User Provided CSR
 for the CSR Generation option when you configured the Venafi platform.
Create a Certificate Signing Request (CSR) on BIG-IQ to use to request certificates and keys from Venafi.
  1. At the top of the screen, click
    Traffic & Network
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Near the top of the screen, click the
    Create
     button.
  4. If the partition is anything other than
    Common
    , type it into the
    Partition
     field.
  5. In the Certificate Properties area, from the
    Issuer
     list, select the Venafi CA.
  6. From the
    Policy Folder
     list, select the policy you retrieved from Venafi.
  7. Specify the division and organization for the certificate.
  8. Complete the SSL certificate properties.
    A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the Subject Alternative Name field, use the format of a comma-separated list of name:value pairs.
  9. Click the
    Save & Close
     button at the bottom of the screen.
    If Venafi is configured for manual CSR approval, the approval process might require a few hours. The pending approval is indicated in the BIG-IQ UI until certificate retrieval. Navigating away from this screen will not disrupt the process.
BIG-IQ generates the CSR and sends it to Venafi for signed certificates and keys. The signed certificate displays on the Certificate and Keys screen.
You can now assign this certificate to your managed BIG-IP VE devices.

Importing certificates and keys from Venafi

You must add Venafi as a third-party certificate authority before you can import certificates from Venafi.
Import certificates from Venafi so you can deploy them to your managed BIG-IP devices.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    Certificate Management
    Certificates & Keys
    .
  3. From the
    Import Type
     list, select
    Import from CA Providers
    .
  4. Select the check box next to
    Venafi
    , enter the passphrase, and click the
    Import
     button at the bottom of the screen.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information