How to Automate F5 Certificate Management for BIG-IP and BIG-IQ

If you’re an F5 administrator, you might not spend a lot of time thinking about automating the management of machine identities. By machine identities, I mean the keys and certificates that assure the unique identity of assets in and on your F5 infrastructure. After all, until recently, certificate lifespans were a couple of years long. That means, depending on the number of F5 devices you’re responsible for and the number of certificates on them, it’s not something you would have to think about that often.

But with today’s shorter certificate lifespans, you’ll likely need to consider automation to keep your machine identities current and active. However, that automation may mean giving away some control over devices in the form of credentials needed to automate certain tasks. Maybe you don’t want another application automatically doing anything with your F5 infrastructure.

While not thinking about automation is understandable, it’s something many organizations are embracing (or being forced to embrace). As I mentioned before, certificate lifespans are getting progressively shorter, down to 398 days. This means more work if you’re renewing certificates manually and the risk of missing more frequent renewals may result in certificate-based outages. Many organizations won’t have enough people to do these renewals manually and/or would like to let those same people work on projects that are more strategic than updating keys and certificates.

There are also the occasional, but massively impactful events that require bulk replacement of keys and certificates or the need to update machine identities that are vulnerable, weak, or distrusted. When a Certificate Authority (CA) gets compromised, a cryptographic algorithm is broken, or a vendor suffers a major vulnerability, compromised keys and certificates need to be replaced quickly without impacting the functions of business-critical infrastructure. Organizations relying on manual updates simply can’t keep up with these types of events.

While those trends driving the need for automation might be important for your organization, you might be wondering how automating certificate management for your F5 infrastructure would affect you personally. Would it give you more time and make your life better or add risk because you’d have to give up that control?

First, imagine that you didn't have to do so many manual tasks in terms of keys and certificates. Does it consume too much of your time to generate keys, generate CSRs (urgently searching how-to reminders from Google), and wait on approvals? What if these tasks were automated for you? You’d gain time and peace-of-mind. You’d gain even more time in those situations where the process falls down—particularly in cases where you generate keys, generate the CSR, submit the CSR to your PKI team, and they then come back to you to say there’s a mistake and everything needs to be redone. It’s not that unusual to make a mistake if you’re not a PKI expert and you haven’t been dealing with keys and certificates on a regular basis.

Saving you time is a huge benefit of automation, but the benefits don’t stop there. Automation enables intelligence about certificates, where they’re installed, and who are the certificate owners. As you and other F5 administrators move to new roles and responsibilities, those critical pieces of information are available for the people you follow or the ones who come after you. Automation can help you eliminate mistakes during maintenance windows, because all you are doing in the maintenance window is running automation. Before the maintenance window, you have the opportunity to iron out mistakes through configuration and code reviews. Automation also supports better scalability when you have many certificates installed on similar types of applications and devices.

The one thing that excites Venafi customers that have automated the interaction between Venafi and F5 is the speed of operation. One customer in particular has automated their request process so that any time a new application is requested in ServiceNow, and all the required assets are automatically created. In just a few minutes, their web server, the IP address, and F5 virtual server are all provisioned. The F5 virtual server spins up, the certificate gets automatically provisioned where it belongs, and every new web application that's requested is created and ready for use. This organization is a good example of thinking big about automating certificate management—and it’s paying off for them in quick, easy, and safe creation of applications.

You might be thinking that automation is sounding interesting but still have concerns about giving up control. After all, F5 systems are critical infrastructure and you don’t want just anyone or anything messing with them. While a Machine Identity Management system like Venafi will require credentials to automate tasks, it shouldn’t require an admin account with root control over applications and devices. It should be using the least amount of privilege needed to do an assigned task such as installing a certificate or doing a validation check to make sure things are installed correctly.

You should also have flexibility into how much you automate and when. Using Venafi Machine Identity Management again as an example, you can have Venafi place the key and certificate you need in a directory where you can retrieve and install it if you don’t want Venafi to perform the installation automatically. Or you might want Venafi to do the installation, but not restart services so you have complete control over when that happens. Flexibility like this lets you take advantage of automation while making sure it works the way you need it to and most importantly, won’t break any of F5 devices.

Venafi and F5 for BIG-IP and BIG-IQ

Venafi and F5 are partners in certificate automation through Machine Identity Management. Our companies have built multiple integrations between our solutions to help F5 teams easily deploy, manage, and protect applications using TLS. We make it easy to automate the entire lifecycle of keys and certificates needed by F5, from initial discovery of existing certificates in use, to the automated renewal of those certificates before they expire, and finally to the automated provisioning to the F5 devices and applications that consume them.

When integrated with Venafi, BIG-IQ performs the following steps in automating the  life cycle of machine identities:

1. Initiates certificate renewal prior to expiration
2. Submits certificate signing request to Venafi
3. Retrieves certificate, private key, and chain certs from Venafi
4. Installs items on target BIG-IP systems
5. Updates configuration (SSL profile, VS, etc.) on the BIG-IPs

Thinking Bigger?

Automating certificate management for F5 BIG-IP and BIG-IQ wherever possible can help you and your organization. You get back the time that you'd otherwise spend on manual tasks, and those tasks are done faster and mistake free without you having to sacrifice control over the F5 devices you're responsible for managing.

Your organization benefits too. It won't need additional resources to deal with managing machine identities manually as certificate lifespans get shorter and as widespread security events occur.

Want to learn more about how Venafi and F5 are partners in certificate automation? Visit the Venafi Marketplace to learn about integrating Venafi with F5 BIG-IP Local Traffic Manager and F5 BIG-IQ.

Related Posts

• F5’s BIG-IQ Integrated with Venafi Platform for Superior App Security
• 5 Reasons Your Certificates Keep Expiring
• 5 Technologies that Work Better When You Orchestrate Machine Identities