F5 BIG IQ Certificate Life Cycle Management using AppViewX
SSL Certificate Management on F5 BIG IP devices is now more streamlined than ever with the latest F5 BIG IQ version. From one centralized location, F5 BIG-IQ makes it easy to request, import, and manage CA-signed SSL certificates, as well as import signed SSL certificates, keys, and PKCS #12 archive files created elsewhere. You can even create self-signed certificates right there for your managed devices.
F5 BIG IQ classifies SSL certificates into two categories
1. Managed
2. Unmanaged
What is an Unmanaged certificate in F5 BIG IQ?
Whenever an F5 BIG IP device is managed with the F5 BIG IQ platform, F5 BIG IQ discovers all the SSL certificates from the device and imports its metadata (properties), but not the actual certificate and key content. These certificates will be displayed as Unmanaged on the F5 BIG-IQ Certificates & Keys screen. Through this, you can monitor the expiry status of certificates directly from the F5 BIG IQ, without logging in to the individual end devices.
What is a Managed certificate in F5 BIG IQ?
An Unmanaged certificate can be moved into Managed status, either by importing the SSL certificates or by adding new ones. All Managed certificates in F5 BIG IQ can be directly deployed to F5 BIG IP devices or associated with the clientSSL or serverSSL profiles right away from the F5 BIG IQ’s centralized SSL certificate manager.
What is the Problem?
How does one go about managing the Certificate’s Life Cycle (Renew, Revoke, Regenerate, Delete)?
Here is where AppViewX comes in to ease the tedious part of managing the certificates’ life cycle through its automation platform.
What Can AppViewX Do?
AppViewX automates the life cycle of certificates managed by F5 BIG IQ, which includes submitting a CSR to renew, regenerate, or revoke the certificate to the Certificate Authority (CA), or provisioning a new certificate and key pair to F5 BIG IQ. Doesn’t that sound interesting?
Let’s now understand how AppViewX accomplishes this.
· AppViewX has a certificate inventory to perform Certificate Life Cycle Management.
· AppViewX has native integrations with several Certificate Authorities (CAs) to submit requests to create/renew/regenerate/revoke certificates and retrieve them.
· AppViewX has the intelligence to monitor the certificates for expiry, renew them automatically, and provision them to the end devices.
How does AppViewX automate F5 BIG IQ Certificate Management?
AppViewX triggers a scheduled discovery of managed certificates from F5 BIG IQ and manages them in the Certificate Inventory. Thus AppViewX and F5 BIG IQ are always in sync with the latest updates.
· If F5 BIG IQ does not have the key for a certificate, AppViewX regenerates the certificate during discovery and updates it in F5 BIG IQ.
· An automatic certificate renewal is configured in AppViewX with a specific “number of days before expiry” threshold, so that whenever a certificate nears the expiry date, AppViewX automatically renews the certificate and provisions a new certificate and key pair to F5 BIG IQ.
· AppViewX has the capability to revoke a certificate which is then added into the Certificate Authority’s CRL.
· AppViewX has the intelligence to remove expired, invalid, and unused certs from F5 BIG IQ by way of housekeeping.
Thus, the life cycle of certificates managed in F5 BIG IQ can be automated with the platform and solutions provided by AppViewX.
Hence Solved 😊
