Manual Chapter : Integrating Let's Encrypt with BIG-IQ for Certificate Management

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Integrating Let's Encrypt with BIG-IQ for Certificate Management

Integrating with Let's Encrypt for certificate and key management

Let's Encrypt is a certificate authority (CA) for website domains that require HTTPS connections. This global CA can automatically obtain, renew and manage browser-trusted SSL/TLS certificates for Domain Validation. With centralized management, you can provide Let's Encrypt certificates to several domains using a single CA management profile.

Automatic Renewal and Deployment

The certificates provided by Let's Encrypt are valid for 90 days. Following expiration, you must manually provide a key pair that validates the domain's ownership. BIG-IQ provides CA management profiles, to update and deploy Let's Encrypt services over the domain's managing BIG-IP devices. Following initial domain configuration, you can fully, or semi-automate the certificate renewal process to your domains.
Certificate auto renewal
Auto renewal invokes certificate renewal, based on the selected number of data prior to certificate expiration. The system automatically retrieves the renewed, valid certificates from Let's Encrypt.
Auto deployment over BIG-IP devices
Auto deployment deploys the updated Let's Encrypt certificates over the managing BIG-IP devices. The deployment process is invoked following each certificate renewal.

Add Let's Encrypt as a third-party CA provider

Ensure that you have applied ACME client software to demonstrate control over your website domains, as required by Let's Encrypt.
Create management profile to for certificate management to your domains that require HTTPS. This process allows you to establish and authenticate a connection between your domain(s), the BIG-IP proxy and the Let's Encrypt CA provider.
To save your management profile, you must complete the mandatory fields (in yellow), validate the server, select key properties and accept terms and conditions for Let's Encrypt. Once saved, these fields are locked from editing. The remaining fields and domain configuration can then be completed at a later time.
  1. Go to
    Configuration
    LOCAL TRAFFIC
    Certificate Management
    Third Party CA Management
    .
    The screen lists all third-party CA management profiles.
  2. Click
    Create
    .
  3. From the
    CA Providers
    list, select
    Lets Encrypt
    .
    The screen now provides details specific to Let's Encrypt.
  4. In the
    Name
    field enter a unique identifier for the domains requiring the Let's Encrypt certificate management.
  5. Select the user key properties of your domain servers.
  6. In the
    Server
    field, manually enter the Let's Encrypt URL, or click
    Select
    to select a production or staging option.
  7. Click
    Validate
    .
    The validation process establishes a connection with the Let's Encrypt servers, to fetch the domain validation resources and the most recent terms and conditions. Once validated, the
    Terms and Conditions
    field becomes available.
  8. Click the box in the
    Terms and Conditions
    .
  9. To renew certificates prior to their expiration, enable the
    Auto Renewal
    option.
    By default, enabling this option automatically renews certificates 7 days before expiration. You can select a longer period of time.
  10. To automatically deploy renewed certificates over your BIG-IP devices, enable the
    Auto Deploy
    option.
    By default, enabling this option automatically deploys renewed certificates at the time 00:00 (midnight) following certificate renewal. You can select a different time of day.
  11. Click
    Save & Close
    To immediately connect Let's Encrypt Web domains click
    Save
    and continue.
You have created a new Let's Encrypt CA management profile.
Connect domains to the new management profile, and add automatic renewal properties to domains in this profile.

Connect Let's Encrypt to web domains

You must have a Let's Encrypt CA management profile configured.
Configure, test, and deploy the domains to your sites that require HTTPS. This process provides the challenge content that validates the connection between the domain's web server and Let's Encrypt server.
You need to configure and complete only one challenge to connect Let's Encrypt and your web domain.
  1. Go to
    Configuration
    LOCAL TRAFFIC
    Certificate Management
    Third Party CA Management
    , and click the name of your Let's Encrypt management profile.
  2. Establish a connection between your domains and the Let's Encrypt server:
    1. Under the Domain Configuration area, click
      Create
      to add a new domain row to the list.
    2. Enter the domain name under the
      Domain Name
      column.
    3. Click
      Save
      .
    The Let's Encrypt server returns a challenge authentication set per added domain. These authentication provisioning methods are displayed as icons in each domain row as follows:
  3. Click the challenge icon, based on your domain configuration.
    This downloads the challenge file. For a DNS configuration, click the icon to copy the challenge content to your clipboard.
    One challenge configuration is required. You do not need to configure multiple challenge files to successfully complete this process.
    For initial configuration, you must manually complete this process, even if you have already configured an API endpoint for automatic renewal.
  4. Manually enter the ACME challenge content to your domain, based on your domain server's configuration:
    1. HTTP Resource Configuration
      : Add the downloaded file to your domain web server.
    2. DNS Configuration
      : Modify the domain's DNS record to include the copied challenge content.
    3. TLS Configuration
      : Approve the downloaded certificate file to your domain.
  5. In the management profile, select the box for each domain row that you manually configured in step 4.
  6. Click
    Test Connection
    If the manual connection between the domain and Let's Encrypt is successful, the
    Connection Status
    column will be marked as valid.
  7. If you have developed a domain-specific API endpoint that can automate the challenge renewal process, you can implement these values per domain row:
    1. Enter your API under the
      API End Point
      column.
    2. If you domain requires a user name and password, enter the information in each column.
    3. Click
      Save
      .
    4. Click
      Deploy & Test
  8. Click
    Save
    .
The configured domains have established a valid connection with the Let's Encrypt server.
Once the domain connection is complete, configure a certificate signing request (CSR) to retrieve Let's Encrypt certificates via the domains' BIG-IP devices.

Create CSR for a signed Let's Encrypt certificate

You must connect the web domain and the Let's Encrypt server before applying the CSR.
Create a new signed certificate and key to request and import Let's Encrypt certificates to your managed BIG-IP devices.
To save your CSR, you must complete the mandatory fields (in yellow).
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    LOCAL TRAFFIC
    Certificate Management
    Certificates & Keys
    .
  3. Click the name of the certificate.
  4. If the partition used for the managed BIG-IP device is anything other than
    Common
    , type it into the
    Partition
    field.
  5. From the
    Issuer
    list, select the Let's Encrypt CA.
  6. From the
    Common Name
    field, select the domain that receives the certificate and key from Let's Encrypt.
  7. From the Key Properties area, ensure
    Key Type
    and
    Key Size
    fields match the corresponding domain's CA management details.
  8. If your key is password protected, enter a value that corresponds with the listed password policy.
  9. Click
    Save
    .
BIG-IQ generates the CSR, on behalf of the domain, and sends it to Let's Encrypt for signed certificates.

Reconfigure Let's Encrypt connection to domain

Refresh the domain challenge content to renew an expired Let's Encrypt connection with host domains.
  1. Go to
    Configuration
    LOCAL TRAFFIC
    Certificate Management
    Third Party CA Management
    , and click the name of your Let's Encrypt management profile.
  2. Under the Domain Configuration area, click
    Reconfigure
    .
    Domains with expired challenge content are updated and their displayed status is replaced with icons to download/copy the new challenge content. This updates the entire grid, regardless of row selection.
  3. Manually enter the new challenge content, based on the domain's server configuration.
  4. In the CA management profile, select the rows that were updated in step 3.
  5. Click
    Test Connection
    .
    The
    Connection Status
    column is now marked as valid.
  6. Click
    Save
    .
Domains with expired challenge content are now up to date and can pair with the Let's Encrypt Server.