Manual Chapter : Integrating Venafi with BIG-IQ for Certificate Management

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Integrating Venafi with BIG-IQ for Certificate Management

Integrating with Venafi for certificate and key management

F5 Networks and Venafi have partnered to provide a tightly-integrated solution for certificate and key management. Managing Venafi certificate requests through BIG-IQ automates laborious processes and reduces the amount of time you have to spend requesting and distributing certificates and keys to your managed devices. From BIG-IQ, you have a centralized management into the key and certificate life cycle for your BIG-IP devices in multi-cloud and local environments.
Once configured, centralized management maintains automatic renewal and deployment of Venafi certificates over your BIG-IP devices.
To maintain the security of sensitive information on your Venafi Trust Protection Platform information, BIG-IQ generates a new authorization key with each API call. The authorization key expires soon after each call (approximately 3 minutes), preventing attackers from gaining access by re-using older keys.

Automatic Renewal and Deployment

Venafi certificates are subject to updates and expiration. BIG-IQ can be used to centrally manage and deploy updates a Web domain's managing BIG-IP devices. Following Venafi configuration to BIG-IQ, you can automate the certificate renewal process to your domains.
You can monitor these updates using system alerts, see
Monitoring
ALERTS & NOTIFICATIONS
. For more information about Venafi alerts, see
Manage Venafi sync alerts
.

Add Venafi as a third-party CA provider

You'll need to configure your Venafi Trust Protection Platform before you add Venafi as a CA provider.
Add Venafi as a CA provider so you can send Certificate Signing Requests to Venafi to get certificates and keys for your BIG-IP devices from BIG-IQ.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Third Party CA Management
    .
  3. Click the name of the certificate.
  4. From the
    CA Providers
    list, select
    Venafi
    .
  5. In the
    Web SDK Endpoint
    field, type the address for the Venafi Web SDK endpoint.
    The BIG-IQ send the CSR to this address.
  6. In the
    User Name
    and
    Password
    fields, type the user name and password for the Web SDK Endpoint.
  7. In the
    Authenticate
    field click the
    Test Connection
    button to verify BIG-IQ can reach the endpoint.
    If you haven't yet configured the Venafi Trust Protection Platform, the test will fail.
  8. In the
    Key Passphrase
    field, enter a value that meets the listed criteria.
    The key passphrase provides authorization to Venafi for scheduled certificate synchronization. This step is not mandatory but it is recommended for optimized certificate management.
  9. To renew certificates prior to their expiration, enable the
    Auto Renewal
    option.
    By default, enabling this option automatically renews certificates 7 days before expiration. You can select a longer period of time.
  10. To automatically deploy renewed certificates over your BIG-IP devices, enable the
    Auto Deploy
    option.
    By default, enabling this option automatically deploys renewed certificates at the time 00:00 (midnight) following certificate renewal. You can select a different time of day.
  11. Click the
    Save & Close
    button at the bottom of the screen.
    The Venafi provider you added appears in the list.
  12. Click the
    Edit Policy
    link of the new Venafi provider you added.
  13. In the
    Policy Folder Path
    type the path of the Venafi Trust Protection Platform where the certificates and keys are located, and then click the
    Get
    button.
    BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or at a later time), you have the option to rename the policies for easier identification by editing its nickname.
  14. If you want to change the credentials of the Venafi Web SDK endpoint, click its name.
You can now add a Venafi CSR to send to Venafi to get certificates for your BIG-IP VE devices.

Create a CSR to get a signed certificate from Venafi

To automatically send a CSR from BIG-IQ, you must have selected
User Provided CSR
for the CSR Generation option when you configured the Venafi platform.
Create a Certificate Signing Request (CSR) on BIG-IQ to use to request certificates and keys from Venafi.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Click the name of the certificate.
  4. If the partition is anything other than
    Common
    , type it into the
    Partition
    field.
  5. In the Certificate Properties area, from the
    Issuer
    list, select the Venafi CA.
  6. From the
    Policy Folder
    list, select the policy you retrieved from Venafi.
  7. Specify the division and organization for the certificate.
  8. Complete the SSL certificate properties.
    A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the Subject Alternative Name field, use the format of a comma-separated list of name:value pairs.
  9. Click the
    Save & Close
    button at the bottom of the screen.
    If Venafi is configured for manual CSR approval, the approval process might require a few hours. The pending approval is indicated in the BIG-IQ UI until certificate retrieval. Navigating away from this screen will not disrupt the process.
BIG-IQ generates the CSR and sends it to Venafi for signed certificates and keys. The signed certificate displays on the Certificate and Keys screen.
You can now assign this certificate to your managed BIG-IP VE devices.

Importing certificates and keys from Venafi

You must add Venafi as a third-party certificate authority before you can import certificates from Venafi.
Import certificates from Venafi so you can deploy them to your managed BIG-IP devices
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. From the
    Import Type
    list, select
    Import from CA Providers
    .
  4. Select the check box next to
    Venafi
    , enter the passphrase, and click the
    Import
    button at the bottom of the screen.

Managing Venafi sync scheduler alerts

Add Venafi as a CA provider so you can send Certificate Signing Requests to Venafi to get certificates and keys for your BIG-IP devices from BIG-IQ.
Venafi synchronization occasionally raises alerts when there is duplicate naming under certificate properties. This occurs when multiple policy folders have a certificate with the same name. You can resolve these errors and complete the certificate sync process by manually selecting a policy folder using the alert.
  1. Go to
    Monitoring
    ALERTS & NOTIFICATIONS
    .
  2. Select the alert titled
    Venafi sync scheduler
    .
  3. Under the Certificate Properties area, select an option from the
    Choose Policy Folder
    column.
    By doing this, you choose the correct Venafi policy folder with which to associate the certificate sync process.
  4. Repeat step 3 for all certificates with duplicate naming.
  5. Click
    Save & Close
    .