Manual Chapter : Integrating Venafi with BIG-IQ for Certificate Management

Applies To:

  • BIG-IQ Centralized Management

    8.4.0, 8.3.0, 8.2.0, 8.1.0

back-action Integrating Third Party Certificate Management with BIG-IQ

Updated Date: 05/20/2026

Integrating Venafi with BIG-IQ for Certificate Management

F5 Networks and Venafi have partnered to provide a tightly-integrated solution for certificate and key management. Managing Venafi certificate requests through BIG-IQ automates laborious processes and reduces the amount of time you have to spend requesting and distributing certificates and keys to your managed devices. From BIG-IQ, you have a centralized management into the key and certificate life cycle for your BIG-IP devices in multi-cloud and local environments.

Note: Once configured, centralized management maintains automatic renewal and deployment of Venafi certificates over your BIG-IP devices. If you’re integrating the Venafi Trust Protection Platform with BIG-IQ for certificate and key management and you are using a private SSL certificate, you must import that private SSL certificate to BIG-IQ.

To maintain the security of sensitive information on your Venafi Trust Protection Platform information, BIG-IQ generates a new authorization key with each API call. The authorization key expires soon after each call (approximately 3 minutes), preventing attackers from gaining access by re-using older keys.

Venafi certificates are subject to updates and expiration. BIG-IQ can be used to centrally manage and deploy updates a Web domain’s managing BIG-IP devices. Following Venafi configuration to BIG-IQ, you can automate the certificate renewal process to your domains.

You can monitor these updates using system alerts, see Monitoring > ALERTS & NOTIFICATIONS. For more information about Venafi alerts, see Manage Venafi sync alerts.

Before you can add Venafi as a CA provider, the Venafi administrator must configure the Venafi Trust Protection Platform.

Add Venafi as a CA provider so you can send Certificate Signing Requests to Venafi to get certificates and keys for your BIG-IP devices from BIG-IQ.

  1. At the top of the screen, click Configuration.

  2. On the left, click LOCAL TRAFFIC > Certificate Management > Third Party CA Management.

  3. Click the name of the certificate.

  4. From the CA Providers list, select Venafi.

  5. In the Web SDK Endpoint field, type the address for the Venafi Web SDK endpoint.

    For example: https://<VENAFI-SERVER>/vedsdk making sure to include the trailing /vedsdk. BIG-IQ sends the CSR to this address.

  6. In the User Name and Password fields, type the user name and password for the Web SDK Endpoint.

  7. In the Authenticate field click the Test Connection button to verify BIG-IQ can reach the endpoint.

    Important: If the test fails, the Venafi administrator might still need to set up the Venafi Trust Protection Platform. Contact your Venafi administrator and provide them with the following details for configuring the scope and then have them assign all necessary users and teams to the new API Application.

    {
  "id": "big-iq",
  "name": "F5 BIGIQ",
  "vendor": "F5",
  "description": "F5 BIG-IQ Service Account",
  "scope": "certificate:manage;configuration:manage"
}

    Note: The target API Application can also be created and/or updated through the Aperture interface.

  8. In the Key Passphrase field, enter a value that meets the listed criteria.

    The key passphrase provides authorization to Venafi for scheduled certificate synchronization. This step is not mandatory but it is recommended for optimized certificate management.

  9. To renew certificates prior to their expiration, enable the Auto Renewal option.

    By default, enabling this option automatically renews certificates 7 days before expiration. You can select a longer period of time.

  10. To automatically deploy renewed certificates over your BIG-IP devices, enable the Auto Deploy option.

    By default, enabling this option automatically deploys renewed certificates at the time 00:00 (midnight) following certificate renewal. You can select a different time of day.

  11. Click the Save & Close button at the bottom of the screen.

    The Venafi provider you added appears in the list.

  12. Click the Edit Policy link of the new Venafi provider you added.

  13. In the Policy Folder Path type the path of the Venafi Trust Protection Platform where the certificates and keys are located, and then click the Get button.

    Important: The target Policy Folder Path must include sub-folders. Each sub-folder may have different issuing requirements or restrictions and could even target different CAs in the customer’s environment, a different CA for each Policy Folder. If a folder with no sub-folders is specified, then an error 400: Bad Request is returned.

    BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or at a later time), you have the option to rename the policies for easier identification by editing its nickname.

  14. If you want to change the credentials of the Venafi Web SDK endpoint, click its name.

You can now add a Venafi CSR to send to Venafi to get certificates for your BIG-IP VE devices.

To automatically send a CSR from BIG-IQ, you must have selected User Provided CSR for the CSR Generation option when you configured the Venafi platform.

Create a Certificate Signing Request (CSR) on BIG-IQ to use to request certificates and keys from Venafi.

  1. At the top of the screen, click Configuration.

  2. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.

  3. Click the name of the certificate.

  4. If the partition is anything other than Common, type it into the Partition field.

  5. In the Certificate Properties area, from the Issuer list, select the Venafi CA.

  6. From the Policy Folder list, select the policy you retrieved from Venafi.

  7. Specify the division and organization for the certificate.

  8. Complete the SSL certificate properties.

    Note: A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the Subject Alternative Name field, use the format of a comma-separated list of name:value pairs.

  9. Click the Save & Close button at the bottom of the screen.

    If Venafi is configured for manual CSR approval, the approval process might require a few hours. The pending approval is indicated in the BIG-IQ UI until certificate retrieval. Navigating away from this screen will not disrupt the process.

BIG-IQ generates the CSR and sends it to Venafi for signed certificates and keys. The signed certificate displays on the Certificate and Keys screen.

You can now assign this certificate to your managed BIG-IP VE devices.

You must add Venafi as a third-party certificate authority before you can import certificates from Venafi.

Import certificates from Venafi so you can deploy them to your managed BIG-IP devices

  1. At the top of the screen, click Configuration.

  2. On the left, click LOCAL TRAFFIC > Certificate Management > Certificates & Keys.

  3. From the Import Type list, select Import from CA Providers.

  4. Select the check box next to Venafi, enter the passphrase, and click the Import button at the bottom of the screen.

If you’ve integrated the Venafi Trust Protection Platform with BIG-IQ for certificate and key management and you are using a private SSL certificate, you must import that private SSL certificate to BIG-IQ.

  1. Log in to the BIG-IQ command line and issue the following commands:

    $ mount -o remount,rw /usr 
$ /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el6_10.x86_64/jre/lib/security/cacerts -alias example.com -file /home/admin/venafi.example.com.pem 
$ mount -o remount,ro /usr

  2. When prompted for a password, contact F5 Support at https://www.f5.com/services/support.

Add Venafi as a CA provider so you can send Certificate Signing Requests to Venafi to get certificates and keys for your BIG-IP devices from BIG-IQ.

Venafi synchronization occasionally raises alerts when there is duplicate naming under certificate properties. This occurs when multiple policy folders have a certificate with the same name. You can resolve these errors and complete the certificate sync process by manually selecting a policy folder using the alert.

  1. Go to Monitoring > ALERTS & NOTIFICATIONS.

  2. Select the alert titled Venafi sync scheduler.

  3. Under the Certificate Properties area, select an option from the Choose Policy Folder column.

    By doing this, you choose the correct Venafi policy folder with which to associate the certificate sync process.

  4. Repeat step 3 for all certificates with duplicate naming.

  5. Click Save & Close.