Generate a Venafi signed certificate¶
Overview¶
After completing your Venafi Trust Protection Platform (TPP) configuration, these are the additional steps to deploy a Venafi created certificate to the BIG-IP.
Sequence¶
1. Generate the CSR¶
Send a POST request to the Venafi Generate CSR API to generate the certificate signing request (CSR).
POST https://<BIG-IQ>/mgmt/cm/adc-core/tasks/certificate-management
The JSON in the body of the POST request can look similar to the following example.
{
"issuer": "VenafiEnv",
"caProvider": "Venafi",
"itemName": "VenafiCert.csr",
"itemPartition": "Common",
"durationInDays": 365,
"country": "US",
"commonName": "ven",
"policyFolderName": "",
"division": "F5 org unit",
"organization": "F5 org",
"locality": "Seattle",
"state": "Washington",
"policyFolder": "\\VED\\Policy\\Certificates\\Big IQ\\BigIQ Generated CSR",
"securityType": "normal",
"keyType": "RSA",
"keySize": 2048,
"checkComplexity": false,
"minPasswordLength": 8,
"confirmedKeyPassphrase": "",
"administratorEmail": "",
"challengePassword": "",
"confirmedChallengePassword": "",
"thirdPartyCa": {
"policyFolder": "\\VED\\Policy\\Certificates\\Big IQ\\BigIQ Generated CSR",
"issuer": "VenafiEnv",
"caProvider": "Venafi"
},
"command": "GENERATE_CSR"
}
2. Send CSR Request to Venafi¶
Send a POST request to the Venafi Request Certificate API to request a signed certificate by proving the certificate signing request (CSR).
POST https://<BIG-IQ>/mgmt/cm/adc-core/external-ca/venafi/csr-request
The JSON in the body of the POST response can look similar to the following example.
{
"certificateName": "VenafiCert",
"policyFolderName": "\\VED\\Policy\\Certificates\\Big IQ\\BigIQ Generated CSR",
"commonName": "ven",
"organization": "F5 org",
"organizationUnit": "F5 org unit",
"state": "Washington",
"country": "US",
"externalCaConfigReference": {
"link": "https://localhost/mgmt/cm/adc-core/external-ca/config/2afa31b3-9e24-3ff4-87b7-38eaf16446bc"
}
}
3. Create Server SSL Profile¶
Send a POST request to create the server SSL profile.
POST https://<BIG-IQ>/mgmt/cm/adc-core/working-config/ltm/profile/server-ssl
The JSON in the body of the POST request can look similar to the following example.
{
"kind": "cm:adc-core:working-config:ltm:profile:server-ssl:adcprofileserversslstate",
"tags": null,
"proxySsl": null,
"cacheSize": null,
"isEnabled": null,
"partition": "Common",
"tmOptions": null,
"passphrase": null,
"serverName": null,
"sniDefault": null,
"sniRequire": null,
"sslSignHash": null,
"alertTimeout": null,
"authenticate": null,
"cacheTimeout": null,
"genericAlert": null,
"keyReference": {
"id": "bd36537a-cc32-3ffe-8d57-17d95d474cc7",
"kind": "cm:adc-core:working-config:sys:file:ssl-key:adcsslkeystate",
"link": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-key/bd36537a-cc32-3ffe-8d57-17d95d474cc7",
"name": "VenafiCert.key",
"partition": "Common",
"fullPath": "/Common/VenafiCert.key"
},
"peerCertMode": null,
"strictResume": null,
"certReference": {
"id": "e55412c2-f43b-3886-be3c-6bcc8eb84377",
"kind": "cm:adc-core:working-config:sys:file:ssl-cert:adcsslcertstate",
"link": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-cert/e55412c2-f43b-3886-be3c-6bcc8eb84377",
"name": "VenafiCert.crt",
"partition": "Common",
"fullPath": "/Common/VenafiCert.crt"
},
"modSslMethods": null,
"renegotiation": null,
"sessionTicket": null,
"allowExpiredCrl": null,
"renegotiateSize": null,
"sslForwardProxy": null,
"uncleanShutdown": null,
"authenticateName": null,
"handshakeTimeout": null,
"sessionMirroring": null,
"authenticateDepth": null,
"renegotiatePeriod": null,
"retainCertificate": null,
"maxActiveHandshakes": null,
"proxySslPassthrough": null,
"secureRenegotiation": null,
"sslForwardProxyBypass": null,
"bypassOnHandshakeAlert": null,
"bypassOnClientCertFailure": null,
"expireCertResponseControl": null,
"untrustedCertResponseControl": null,
"defaultsFromReference": {
"link": "https://localhost/mgmt/cm/adc-core/working-config/ltm/profile/server-ssl/86574429-ee8e-3666-8f71-c9594140d5c4"
},
"chainReference": null,
"caFileReference": null,
"crlFileReference": null,
"ciphers": null,
"cipherGroupReference": null,
"cert": null,
"key": null,
"chain": null,
"caFile": null,
"crlFile": null,
"cipherGroup": null,
"name": "custom_sever_profile"
}
4. Create Client SSL Profile¶
Send a POST request to create the client SSL profile.
POST https://<BIG-IQ>/mgmt/cm/adc-core/working-config/ltm/profile/client-ssl
The JSON in the body of the POST request can look similar to the following example.
{
"kind": "cm:adc-core:working-config:ltm:profile:client-ssl:adcprofileclientsslstate",
"tags": null,
"proxySsl": null,
"cacheSize": null,
"isEnabled": null,
"partition": "Common",
"tmOptions": null,
"serverName": null,
"sniDefault": null,
"sniRequire": null,
"allowNonSsl": null,
"sslSignHash": null,
"alertTimeout": null,
"authenticate": null,
"cacheTimeout": null,
"certKeyChain": [{
"name": "VenafiCert",
"keyReference": {
"link": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-key/bd36537a-cc32-3ffe-8d57-17d95d474cc7",
"selfLink": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-key/bd36537a-cc32-3ffe-8d57-17d95d474cc7",
"id": "bd36537a-cc32-3ffe-8d57-17d95d474cc7",
"kind": "cm:adc-core:working-config:sys:file:ssl-key:adcsslkeystate",
"partition": "Common",
"name": "VenafiCert.key"
},
"certReference": {
"link": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-cert/e55412c2-f43b-3886-be3c-6bcc8eb84377",
"selfLink": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-cert/e55412c2-f43b-3886-be3c-6bcc8eb84377",
"id": "e55412c2-f43b-3886-be3c-6bcc8eb84377",
"kind": "cm:adc-core:working-config:sys:file:ssl-cert:adcsslcertstate",
"partition": "Common",
"name": "VenafiCert.crt"
},
"passphrase": ""
}],
"certLifespan": null,
"genericAlert": null,
"ocspStapling": null,
"peerCertMode": null,
"strictResume": null,
"modSslMethods": null,
"renegotiation": null,
"sessionTicket": null,
"allowExpiredCrl": null,
"renegotiateSize": null,
"sslForwardProxy": null,
"uncleanShutdown": null,
"handshakeTimeout": null,
"sessionMirroring": null,
"authenticateDepth": null,
"maximumRecordSize": null,
"proxyCaPassphrase": null,
"renegotiatePeriod": null,
"retainCertificate": null,
"maxActiveHandshakes": null,
"proxySslPassthrough": null,
"secureRenegotiation": null,
"sessionTicketTimeout": null,
"certExtensionIncludes": null,
"sslForwardProxyBypass": null,
"bypassOnHandshakeAlert": null,
"certLookupByIpaddrPort": null,
"allowDynamicRecordSizing": null,
"peerNoRenegotiateTimeout": null,
"bypassOnClientCertFailure": null,
"renegotiateMaxRecordDelay": null,
"maxRenegotiationsPerMinute": null,
"notifyCertStatusToVirtualServer": null,
"maxAggregateRenegotiationPerMinute": null,
"defaultsFromReference": {
"link": "https://localhost/mgmt/cm/adc-core/working-config/ltm/profile/client-ssl/c239f876-5f8c-35eb-b3bd-903e0871361b"
},
"caFileReference": null,
"clientCertCaReference": null,
"crlFileReference": null,
"proxyCaCertReference": null,
"proxyCaKeyReference": null,
"ciphers": null,
"cipherGroupReference": null,
"caFile": null,
"clientCertCa": null,
"crlFile": null,
"proxyCaCert": null,
"proxyCaKey": null,
"destinationIpBlacklist": "none",
"destinationIpWhitelist": "none",
"hostnameBlacklist": "none",
"hostnameWhitelist": "none",
"sourceIpBlacklist": "none",
"sourceIpWhitelist": "none",
"cipherGroup": null,
"name": "custom_client_profile"
}
5. Update Virtual Server with SSL Profiles¶
Send a PATCH request to update the virtual server with SSL profiles.
PATCH https://<BIG-IQ>/mgmt/cm/adc-core/working-config/ltm/virtual/57e816ea-057b-339e-8364-5793b512b72a
The JSON in the body of the PATCH request can look similar to the following example.
{
"addressStatus": "yes",
"autoLasthop": "default",
"clonePools": [],
"connectionLimit": 0,
"rateLimit": "disabled",
"rateLimitMode": "object",
"deviceReference": {
"id": "d83bdbc6-231c-4e5c-850a-8a8fd452d07b",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-adccore-allbigipDevices/devices/d83bdbc6-231c-4e5c-850a-8a8fd452d07b",
"name": "host-10-218-20-44.openstacklocal",
"machineId": "d83bdbc6-231c-4e5c-850a-8a8fd452d07b"
},
"gtmScore": 0,
"poolReference": null,
"ipProtocol": "tcp",
"lastHopPoolReference": null,
"mirror": "disabled",
"nat64": "disabled",
"sourceAddress": "0.0.0.0/0",
"sourceAddressTranslation": {
"type": "none",
"lsnPoolReference": null,
"snatpoolReference": null
},
"flowEvictionPolicyReference": null,
"sourcePort": "preserve",
"state": "enabled",
"translateAddress": "enabled",
"translatePort": "enabled",
"destinationAddressList": {
"link": ""
},
"mask": "255.255.255.255",
"name": "vs1",
"description": "",
"partition": "Common",
"kind": "cm:adc-core:working-config:ltm:virtual:adcvirtualstate",
"vlansEnabled": "disabled",
"id": "57e816ea-057b-339e-8364-5793b512b72a",
"policies": [],
"selfLink": "https://localhost/mgmt/cm/adc-core/working-config/ltm/virtual/57e816ea-057b-339e-8364-5793b512b72a",
"generation": 4,
"destinationPort": "80",
"lastUpdateMicros": 1587984124706615,
"profilesCollectionReference": {
"link": "https://localhost/mgmt/cm/adc-core/working-config/ltm/virtual/57e816ea-057b-339e-8364-5793b512b72a/profiles",
"isSubcollection": true
},
"sourceAddressType": "Source host",
"destinationAddressType": "Destination host",
"destinationPortType": "Destination port",
"stats": {
"entries": {
"itemId": {
"value": 0,
"description": "57e816ea-057b-339e-8364-5793b512b72a",
"lastUpdateMicros": 1587982250834024,
"updateType": "BASIC"
}
},
"generation": 1,
"lastUpdateMicros": 1587982250834025,
"kind": "cm:adc-core:working-config:ltm:virtual:57e816ea-057b-339e-8364-5793b512b72a:stats:restworkerstats",
"selfLink": "https://localhost/mgmt/cm/adc-core/working-config/ltm/virtual/57e816ea-057b-339e-8364-5793b512b72a/stats"
},
"destinationAddress": "10.10.10.1",
"vlanReferences": null,
"tunnelReferences": null
}
6. Adding a new Server SSL Profile into VS Profiles¶
Send a POST request to add a new server SSL profile into VS Profiles.
POST https://<BIG-IQ>/mgmt/cm/adc-core/working-config/ltm/virtual/57e816ea-057b-339e-8364-5793b512b72a/profiles
The JSON in the body of the POST request can look similar to the following example.
{
"name": "custom_sever_profile",
"partition": "Common",
"profileServersslReference": {
"link": "https://localhost/mgmt/cm/adc-core/working-config/ltm/profile/server-ssl/9429c302-648a-363e-883e-f5f7575324b2"
},
"context": "serverside"
}
7. Adding a new Client SSL Profile into VS Profiles¶
Send a POST request to add a new client SSL profile into VS Profiles.
POST https://<BIG-IQ>/mgmt/cm/adc-core/working-config/ltm/virtual/57e816ea-057b-339e-8364-5793b512b72a/profiles
The JSON in the body of the POST request can look similar to the following example.
{
"name": "custom_client_profile",
"partition": "Common",
"profileClientsslReference": {
"link": "https://localhost/mgmt/cm/adc-core/working-config/ltm/profile/client-ssl/6eb5050f-e49e-394d-9214-09e207da9b82"
},
"context": "clientside"
}
8. Deleting an old Server SSL Profile from VS Profiles¶
Send a DELETE request to delete an old server SSL profile from VS Profiles.
DELETE https://<BIG-IQ>/mgmt/cm/adc-core/working-config/ltm/virtual/57e816ea-057b-339e-8364-5793b512b72a/profiles/c239f876-5f8c-35eb-b3bd-903e0871361b
No body is required for the DELETE request.
9. Deleting an old Client SSL Profile from VS Profiles¶
Send a DELETE request to delete an old client SSL profile from VS Profiles.
DELETE https://<BIG-IQ>/mgmt/cm/adc-core/working-config/ltm/virtual/57e816ea-057b-339e-8364-5793b512b72a/profiles/86574429-ee8e-3666-8f71-c9594140d5c4
No body is required for the DELETE request.
10. Create Deployment¶
Send a POST request to create a deployment.
POST https://<BIG-IQ>/mgmt/cm/adc-core/tasks/deploy-configuration
The JSON in the body of the POST request can look similar to the following example.
{
"skipVerifyConfig": false,
"skipDistribution": true,
"snapshotReference": null,
"objectsToDeployReferences": [],
"deviceReferences": [{
"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-adccore-allbigipDevices/devices/d83bdbc6-231c-4e5c-850a-8a8fd452d07b"
}],
"name": "dep"
}
11. Deploy to BIG-IP¶
Send a POST request to deploy to the BIG-IP.
POST https://<BIG-IQ>/mgmt/cm/adc-core/tasks/deploy-configuration/be01d8f5-c262-487c-85da-3d39b5ca070a
The JSON in the body of the POST request can look similar to the following example.
{
"id": "be01d8f5-c262-487c-85da-3d39b5ca070a",
"kind": "cm:adc-core:tasks:deploy-configuration:deployconfigtaskstate",
"name": "dep",
"type": "Full",
"status": "STARTED",
"selfLink": "https://localhost/mgmt/cm/adc-core/tasks/deploy-configuration/be01d8f5-c262-487c-85da-3d39b5ca070a",
"username": "admin",
"generation": 15,
"currentStep": "DISTRIBUTE_CONFIG",
"endDateTime": "2020-04-27T04:50:10.375-0700",
"deviceDetails": [{
"hostname": "host-10-218-20-44.openstacklocal",
"deviceReference": {
"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-adccore-allbigipDevices/devices/d83bdbc6-231c-4e5c-850a-8a8fd452d07b"
},
"differenceCount": 1,
"verificationErrorCount": 0,
"postDeploymentErrorCount": 0,
"verificationCriticalErrorCount": 0
}],
"startDateTime": "2020-04-27T04:49:23.838-0700",
"userReference": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"ownerMachineId": "a0a560b7-a28d-46b4-bd12-58e9a63e93eb",
"deviceReferences": [{
"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-adccore-allbigipDevices/devices/d83bdbc6-231c-4e5c-850a-8a8fd452d07b",
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"uuid": "d83bdbc6-231c-4e5c-850a-8a8fd452d07b",
"build": "0.0.39",
"slots": [{
"build": "0.0.39",
"volume": "HD1.1",
"product": "BIG-IP",
"version": "15.0.0",
"isActive": true
}],
"state": "ACTIVE",
"address": "10.218.20.44",
"edition": "Final",
"product": "BIG-IP",
"version": "15.0.0",
"hostname": "host-10-218-20-44.openstacklocal",
"selfLink": "https://localhost/mgmt/shared/resolver/device-groups/cm-adccore-allbigipDevices/devices/d83bdbc6-231c-4e5c-850a-8a8fd452d07b",
"deviceUri": "https://10.218.20.44:443",
"groupName": "cm-adccore-allbigipDevices",
"httpsPort": 443,
"isVirtual": true,
"machineId": "d83bdbc6-231c-4e5c-850a-8a8fd452d07b",
"generation": 516,
"properties": {
"imported": true,
"discovered": true,
"supportsAfm": true,
"supportsCpb": true,
"importStatus": "FINISHED",
"supportsFqdn": true,
"discoveryStatus": "FINISHED",
"importedDateTime": "2020-04-27T10:10:53.267Z",
"supportsCsrfUrls": true,
"supportsDatasafe": true,
"supportsFwPolicy": true,
"supportsNatPolicy": true,
"supportUdpPortList": true,
"supportsAlpineEnhs": true,
"supportsBadgerEnhs": true,
"supportsBotDefense": true,
"supportsLoginPages": true,
"supportsSshProfile": true,
"supports_13_0_Enhs": true,
"supports_13_1_Enhs": true,
"supports_14_0_Enhs": true,
"supports_14_1_Enhs": true,
"supports_15_0_Enhs": true,
"supports_15_1_Enhs": false,
"supportsCascadeEnhs": true,
"supportsExtractions": true,
"supportsGeoLocation": true,
"supportsGwtProfiles": true,
"supportsIruleAction": true,
"supportsRuleLogging": true,
"supportsWebScraping": false,
"supportsXmlProfiles": true,
"supportsAddressRange": true,
"supportsJsonProfiles": true,
"supportsPacketTester": true,
"supportsUserIdentity": true,
"supports_12_1_2_Enhs": true,
"supportsFlowInspector": true,
"supportsSendToVirtual": true,
"supportsServicePolicy": true,
"lastDiscoveredDateTime": "2020-04-27T11:50:06.023Z",
"supportsAfmSubscribers": true,
"supportsClassification": true,
"supportsCsrfProtection": true,
"supportsDataProtection": true,
"supportsFlowIdleTimers": true,
"supportsHopoptProtocol": true,
"supportsIpIntelligence": true,
"supportsIruleSampleRate": true,
"supportsNestedPortLists": true,
"supportsSessionTracking": true,
"supportsThreatCampaigns": true,
"supportsLoginEnforcement": true,
"supportsPlainTextProfile": true,
"supportsPortMisusePolicy": true,
"supportsDualStackMgmtPort": true,
"supportsWebSocketSecurity": true,
"lastUserDiscoveredDateTime": "2020-04-27T09:58:22.443Z",
"supportsCompatibilityLevel": true,
"supportsNestedAddressLists": true,
"supportsServerTechnologies": true,
"supportsUrlCascadeFeatures": true,
"suppportsXmlValidationFiles": true,
"restrictsFirewallInlineRules": true,
"supportsAlpineDosProfileEnhs": true,
"supportsAlpineLogProfileEnhs": true,
"supportsIncrementalDiscovery": true,
"supportsAlpineDosDeviceConfig": true,
"supportsLoginPagesHeaderOmits": true,
"supportsRedirectionProtection": true,
"supportsUrlSignaturesOverride": true,
"supportsFirewallRuleIdentifiers": true,
"supportsHostNameEnforcementMode": true,
"supportsAsmDisallowedGeolocation": true,
"supportsHeaderSignaturesOverride": true,
"supportsLoginPagesCascadeFeatures": true,
"supportsBruteForceAttackPreventions": true,
"supportsWhitelistIpBlockRequestAlways": true,
"requiresDhcpProfileInDhcpVirtualServer": true,
"supportsLoginEnforcementCascadeFeatures": true,
"restrictsPortTranslationStatelessVirtual": true,
"supportsSessionTrackingDeviceIdThresholds": true,
"supportsAlpineDosDeviceWhitelistIpProcotol": true,
"supportsVirtualServerDestinationAddressList": true,
"supportsBruteForceAttackPreventionsBadgerFeatures": true,
"supportsSessionTrackingSessionHijackingByDeviceId": true,
"supportsBruteForceAttackPreventionsCascadeFeatures": true,
"supportsSessionTrackingAllLoginPagesUsernameSource": true
},
"isClustered": false,
"mcpDeviceName": "/Common/host-10-218-20-44.openstacklocal",
"isLicenseExpired": false,
"lastUpdateMicros": 1587988376526372,
"managementAddress": "10.218.20.44",
"restFrameworkVersion": "15.0.0-0.0.39"
}],
"lastUpdateMicros": 1587988210424846,
"skipDistribution": false,
"skipVerifyConfig": false,
"snapshotReference": {
"link": "https://localhost/mgmt/cm/adc-core/working-config/snapshots/4b2e66ab-8d6c-4ceb-a906-67fe8abc56ba",
"id": "4b2e66ab-8d6c-4ceb-a906-67fe8abc56ba",
"era": 6,
"kind": "cm:adc-core:working-config:snapshots:snapshotstate",
"name": "Deploy-dep",
"created": "2020-04-27T11:50:07",
"selfLink": "https://localhost/mgmt/cm/adc-core/working-config/snapshots/4b2e66ab-8d6c-4ceb-a906-67fe8abc56ba",
"username": "admin",
"generation": 1,
"lastUpdateMicros": 1587988207414087,
"preservedDateTime": "2020-04-27T11:50:07",
"globalSnapshotReference": {
"link": "https://localhost/mgmt/shared/storage/snapshots/45495f2c-a957-4fad-873c-bb9e1bf0e3be"
}
},
"identityReferences": [{
"link": "https://localhost/mgmt/shared/authz/users/admin"
}],
"differenceReference": {
"link": "https://localhost/mgmt/cm/adc-core/reports/config-differences/d58cea51-c3b7-440e-ba06-8ab312098759"
},
"refreshSharedConfig": true,
"snapshotTaskReference": {
"link": "https://localhost/mgmt/cm/adc-core/tasks/snapshot-config/50f2236f-2aa2-4874-83bf-5b9ebd610ff3"
},
"verifyConfigReference": {
"link": "https://localhost/mgmt/cm/adc-core/reports/config-verifications/ebe415f7-717d-4b97-bff1-172e3b170fc7"
},
"differenceTaskReference": {
"link": "https://localhost/mgmt/cm/adc-core/tasks/difference-config/d2b8a825-efbe-49d0-9b2c-6362e7c46ea9"
},
"discoveryTaskReferences": [{
"link": "https://localhost/mgmt/cm/adc-core/tasks/discover-config/ac220975-591e-4a8f-b151-1cf06b40ce85"
}],
"verifyConfigTaskReference": {
"link": "https://localhost/mgmt/cm/adc-core/tasks/verify-config/327d9ee6-ee24-44d0-8d11-0cbed5d4c1e2"
},
"futureSchedule": {}
}