Manual Chapter :
Integrating Venafi with BIG-IQ for Certificate Management
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0
Integrating Venafi with BIG-IQ for Certificate Management
Integrating with Venafi for certificate and key management
F5 Networks and Venafi have partnered to provide a tightly-integrated solution
for certificate and key management. Managing Venafi certificate requests through BIG-IQ
automates laborious processes and reduces the amount of time you have to spend requesting and
distributing certificates and keys to your managed devices. From BIG-IQ, you have a
centralized management into the key and certificate life cycle for your BIG-IP devices in
multi-cloud and local environments.
To maintain the security of sensitive information on your Venafi Trust Protection Platform information, BIG-IQ generates a new authorization key with each API call. The authorization key expires soon after each call (approximately 3 minutes), preventing attackers from gaining access by re-using older keys.
Once configured, centralized management
maintains automatic renewal and deployment of Venafi certificates over your BIG-IP
devices. If you're integrating the Venafi Trust
Protection Platform with BIG-IQ for certificate and key management and you are using a
private SSL certificate, you must import that private SSL certificate to BIG-IQ.
Automatic Renewal and Deployment
Venafi certificates are subject to updates and expiration. BIG-IQ can be
used to centrally manage and deploy updates a Web domain's managing BIG-IP devices.
Following Venafi configuration to BIG-IQ, you can automate the certificate renewal process
to your domains.
You can monitor these updates using system alerts, see
. For more information about Venafi alerts, see Manage Venafi sync
alerts
.Add Venafi as a third-party CA provider
Before you can add Venafi as a CA provider, the Venafi administrator must configure the Venafi Trust Protection Platform.
Add Venafi as a CA provider so you can send Certificate Signing Requests to Venafi to get certificates and keys for your BIG-IP devices from BIG-IQ.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Click the name of the certificate.
- From theCA Providerslist, selectVenafi.
- In theWeb SDK Endpointfield, type the address for the Venafi Web SDK endpoint.For example:https://<VENAFI-SERVER>/vedsdkmaking sure to include the trailing/vedsdk. BIG-IQ sends the CSR to this address.
- In theUser NameandPasswordfields, type the user name and password for the Web SDK Endpoint.
- In theAuthenticatefield click theTest Connectionbutton to verify BIG-IQ can reach the endpoint.If the test fails, the Venafi administrator might still need to set up the Venafi Trust Protection Platform. Contact your Venafi administrator and provide them with the following details for configuring the scope and then have them assign all necessary users and teams to the new API Application.{ "id": "big-iq", "name": "F5 BIGIQ", "vendor": "F5", "description": "F5 BIG-IQ Service Account", "scope": "certificate:manage;configuration:manage" }The target API Application can also be created and/or updated through the Aperture interface.
- In theKey Passphrasefield, enter a value that meets the listed criteria.The key passphrase provides authorization to Venafi for scheduled certificate synchronization. This step is not mandatory but it is recommended for optimized certificate management.
- To renew certificates prior to their expiration, enable theAuto Renewaloption.By default, enabling this option automatically renews certificates 7 days before expiration. You can select a longer period of time.
- To automatically deploy renewed certificates over your BIG-IP devices, enable theAuto Deployoption.By default, enabling this option automatically deploys renewed certificates at the time 00:00 (midnight) following certificate renewal. You can select a different time of day.
- Click theSave & Closebutton at the bottom of the screen.The Venafi provider you added appears in the list.
- Click theEdit Policylink of the new Venafi provider you added.
- In thePolicy Folder Pathtype the path of the Venafi Trust Protection Platform where the certificates and keys are located, and then click theGetbutton.The targetPolicy Folder Pathmust include sub-folders. Each sub-folder may have different issuing requirements or restrictions and could even target different CAs in the customer's environment, a different CA for each Policy Folder. If a folder with no sub-folders is specified, then an error400: Bad Requestis returned.BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or at a later time), you have the option to rename the policies for easier identification by editing its nickname.
- If you want to change the credentials of the Venafi Web SDK endpoint, click its name.
You can now add a Venafi CSR to send to Venafi to get certificates for your BIG-IP VE devices.
Create a CSR to get a signed certificate from Venafi
To automatically send a CSR from BIG-IQ, you must
have selected
User Provided CSR
for the CSR Generation option when you configured the Venafi platform.Create a Certificate Signing Request (CSR) on
BIG-IQ to use to request certificates and keys from Venafi.
- At the top of the screen, clickConfiguration.
- On the left, click.
- Click the name of the certificate.
- If the partition is anything other thanCommon, type it into thePartitionfield.
- In the Certificate Properties area, from theIssuerlist, select the Venafi CA.
- From thePolicy Folderlist, select the policy you retrieved from Venafi.
- Specify the division and organization for the certificate.
- Complete the SSL certificate properties.A Subject Alternative Name is embedded in a certificate for X509 extension purposes. Supported names include email, DNS, URI, IP, and RID. For the Subject Alternative Name field, use the format of a comma-separated list of name:value pairs.
- Click theSave & Closebutton at the bottom of the screen.If Venafi is configured for manual CSR approval, the approval process might require a few hours. The pending approval is indicated in the BIG-IQ UI until certificate retrieval. Navigating away from this screen will not disrupt the process.
BIG-IQ generates the CSR and sends it to Venafi
for signed certificates and keys. The signed certificate displays on the Certificate and
Keys screen.
You can now assign this certificate to your
managed BIG-IP VE devices.
Importing certificates and keys from Venafi
You must add Venafi as a third-party certificate
authority before you can import certificates from Venafi.
Import certificates from Venafi so you can
deploy them to your managed BIG-IP devices
- At the top of the screen, clickConfiguration.
- On the left, click.
- From theImport Typelist, selectImport from CA Providers.
- Select the check box next toVenafi, enter the passphrase, and click theImportbutton at the bottom of the screen.
Import Venafi private SSL certificate
If you've integrated the Venafi Trust
Protection Platform with BIG-IQ for certificate and key management and you are using a
private SSL certificate, you must import that private SSL certificate to BIG-IQ.
- Log in to the BIG-IQ command line and issue the following commands:$ mount -o remount,rw /usr $ /usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el6_10.x86_64/jre/lib/security/cacerts -alias example.com -file /home/admin/venafi.example.com.pem $ mount -o remount,ro /usr
- When prompted for a password, contact F5 Support athttps://www.f5.com/services/support.
Managing Venafi sync scheduler alerts
Add Venafi as a CA provider so you can send
Certificate Signing Requests to Venafi to get certificates and keys for your BIG-IP
devices from BIG-IQ.
Venafi synchronization occasionally raises alerts
when there is duplicate naming under certificate properties. This occurs when multiple
policy folders have a certificate with the same name. You can resolve these errors and
complete the certificate sync process by manually selecting a policy folder using the
alert.
- Go to.
- Select the alert titledVenafi sync scheduler.
- Under the Certificate Properties area, select an option from theChoose Policy Foldercolumn.By doing this, you choose the correct Venafi policy folder with which to associate the certificate sync process.
- Repeat step 3 for all certificates with duplicate naming.
- ClickSave & Close.