Generate a Let’s Encrypt signed certificate

Overview

Use this sequence to generate a Let’s Encrypt signed certificate from BIG-IQ. This sequence is mandatory to get a certificate. The steps up to step #6 require administrative privileges and can be performed one time until the challenges expire. After the challenges expire you will need to repeat the sequence.

Sequence

1. Get the Let’s Encrypt provider details

Send a GET request to the CA Provider List API to retrieve the list of certificate authority (CA) providers from BigIQ.

GET https://<BIG-IQ>/mgmt/cm/adc-core/external-ca/provider-list

The JSON in the body of the GET response can look similar to the following example.

{
    "providerList": [
            "Let's Encrypt",
            "Venafi"
    ],
    "generation": 0,
    "lastUpdateMicros": 0,
    "kind": "cm:adc-core:external-ca:provider-list:externalcaproviderliststate",
    "selfLink": "https://localhost/mgmt/cm/adc-core/external-ca/provider-list"
}

2. Get the API endpoints for the Let’s Encrypt server

Send a GET request to the Let’s Encrypt Directory API to retrieve a list of all the API endpoints provided by the Let’s Encrypt server. The JSON in the response can include URLs for resources such as terms of service, nonce, account, order and others which can be accepted for use in subsequent steps of the certificate creation.

GET https://<BIG-IQ>/mgmt/cm/adc-core/external-ca/lets-encrypt/resource-list

The JSON in the body of the GET response can look similar to the following example.

{
    "items": [{
                    "uuid": "59ec6404-afe5-3c23-aa19-b47972578c27",
                    "serverUri": "https://acme-v02.api.letsencrypt.org/",
                    "resourceUrls": {
                            "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
                            "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
                            "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
                            "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
                            "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
                            "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
                    },
                    "generation": 1,
                    "lastUpdateMicros": 1565350119556388,
                    "kind": "cm:adc-core:external-ca:lets-encrypt:resource-list:letsencryptresourceliststate",
                    "selfLink": "https://localhost/mgmt/cm/adc-core/external-ca/lets-encrypt/resource-list/59ec6404-afe5-3c23-aa19-b47972578c27"
            },
            {
                    "uuid": "796d551a-7429-36e4-bc68-687abb8733d3",
                    "serverUri": "https://acme-staging-v02.api.letsencrypt.org/",
                    "resourceUrls": {
                            "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
                            "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert",
                            "website": "https://letsencrypt.org/docs/staging-environment/",
                            "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
                            "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
                            "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
                            "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
                    },
                    "generation": 1,
                    "lastUpdateMicros": 1565353260651553,
                    "kind": "cm:adc-core:external-ca:lets-encrypt:resource-list:letsencryptresourceliststate",
                    "selfLink": "https://localhost/mgmt/cm/adc-core/external-ca/lets-encrypt/resource-list/796d551a-7429-36e4-bc68-687abb8733d3"
            }
    ],
    "generation": 1,
    "kind": "cm:adc-core:external-ca:lets-encrypt:resource-list:letsencryptresourcelistcollectionstate",
    "lastUpdateMicros": 1565348758357060,
    "selfLink": "https://localhost/mgmt/cm/adc-core/external-ca/lets-encrypt/resource-list"
}

3. Generate the Let’s Encrypt configuration

Send a POST request to the CA Configuration API to generate the certificate authority (CA) configuration. The CA configuration can be used in subsequent steps of the certificate creation.

POST https://<BIG-IQ>/mgmt/cm/adc-core/external-ca/config

The JSON in the body of the POST request can look similar to the following example.

{
    "name": "LE_Staging_Server",
    "caProvider": "Let's Encrypt",
    "webSdkEndPoint": "https://acme-staging-v02.api.letsencrypt.org/",
    "keyAlgorithm": "RSA",
    "keySize": 2048,
    "terms": true
}

4. Generate the domain configuration

Send a POST request to the Let’s Encrypt Domain Configuration API to generate the domain configuration. This step is required for Let’s Encrypt to verify the domain servers before signing the certificates.

POST https://<BIG-IQ>/mgmt/cm/adc-core/external-ca/lets-encrypt/config

The JSON in the body of the POST request can look similar to the following example.

{
    "externalCaConfigReference": {
            "link": "https://localhost/mgmt/cm/adc-core/external-ca/config/5194e771-18d1-377d-8706-1d3102ebb312"
    },
    "domains": [{
                    "domainName": "letsencrypt.example1.de"
            },
            {
                    "domainName": "letsencrypt.example2.de"
            }
    ]
}

5. Generate challenge content for the domains

Send a POST request to the Let’s Encrypt Challenge Content API to generate challenge content for each of the domains. Challenge content is generated by Let’s Encrypt and can expire over time. The Let’s Encrypt configuration can keep track of changes and take actions involving the Let’s Encrypt server.

POST https://<BIG-IQ>/mgmt/cm/adc-core/external-ca/lets-encrypt/challenge

The JSON in the body of the POST request can look similar to the following example.

{
    "externalCaConfigReference": {
            "link": "https://localhost/mgmt/cm/adc-core/external-ca/config/5194e771-18d1-377d-8706-1d3102ebb312"
    },
    "authLocation": "https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3919567",
    "accountLocation": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/10550349"
}

6. Authenticate for domains

Send a POST request to the Let’s Encrypt Authenticate API to authenticate for the domains. The Let’s Encrypt server uses the challenge contents saved in the previous step to authenticate the domains. The Let’s Encrypt configuration orchestrates the authentication.

POST https://<BIG-IQ>/mgmt/cm/adc-core/external-ca/lets-encrypt/authenticate

The JSON in the body of the POST request can look similar to the following example.

{
    "externalCaConfigReference": {
            "link": "https://localhost/mgmt/cm/adc-core/external-ca/config/5194e771-18d1-377d-8706-1d3102ebb312"
    },
    "authenticationUrl": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/1899037193",
    "forceValidate": false,
    "checkOnlyStatus": false,
    "status": "valid",
    "generation": 0,
    "lastUpdateMicros": 0
}

7. Request a signed certificate

After the previous steps have been completed, the BIG-IQ is ready to request a signed certificate from the Let’s Encrypt server. Send a POST request to the Let’s Encrypt Request Certificate API to request a signed certificate by proving the certificate signing request (CSR).

POST https://<BIG-IQ>/mgmt/cm/adc-core/external-ca/lets-encrypt/csr-request

The JSON in the body of the POST request can look similar to the following example.

{
    "certificateName": "le_cert",
    "domainName": "letsencrypt.example1.de",
    "externalCaConfigReference": {
            "link": "https://localhost/mgmt/cm/adc-core/external-ca/config/5194e771-18d1-377d-8706-1d3102ebb312"
    }
}