F5 BIG-IQ Centralized Management Lab > BIG-IQ All Labs > Class 1: BIG-IQ Application Management and AS3 > Module 2: BIG-IQ Application Templates & Deployment with AS3 using the API Source | Edit on
Lab 2.11: Create and deploy a SSL Certificate & Key from Venafi with BIG-IQ and AS3 using Ansible¶
Note
Estimated time to complete: 15 minutes
In this lab, we are going to see the same workflow as Class 6 Module 1 Lab 1.4 to create the SSL Certificate & Key on BIG-IQ signed with Venafi Platform, deploy those SSL object to a BIG-IP and create the HTTPS offload application service using AS3.
Instead of doing all the necessary steps using BIG-IQ user interface, we are going to use Ansible.
- This lab will be using following F5 Ansible Galaxy roles:
- bigiq_pinning_deploy_objects ansible Role: Pin objects (e.g. Cert & Key) on BIG-IQ and deploy it to BIG-IP(s).
- atc_deploy ansible Role: Allows AS3 declaration to be sent to automation tool chain service.
- bigiq_move_app_dashboard ansible Role: Move Application Service(s) in BIG-IQ Application Dashboard.
Lab environment access¶
If you have not yet visited the page Getting Started, please do so.
Workflow¶
- Configured third-party certificate provider on BIG-IQ UI
- SSL Certificate & Key and AS3 HTTPS offload application service creation via the API
Configured third-party certificate provider on BIG-IQ¶
Follow Class 6 Module 1 Lab 1.4 to configure Venafi with BIG-IQ for Certificate Management.
Note
We are not automating this step as setting up Venafi with BIG-IQ is a one time operation.
SSL Certificate & Key and AS3 HTTPS offload application service creation¶
Connect via
SSHorWeb Shellto the system Ubuntu Lamp Server. (if you use the Web Shell, login as f5student first: su - f5student).Execute the playbook
bigiq_as3_deploy_venafi_certificate_as3_app.yml:cd /home/f5/f5-ansible-bigiq-as3-demo docker build -t f5-ansible-runner . ./ansible_helper ansible-playbook /ansible/bigiq_as3_deploy_venafi_certificate_as3_app.yml -i /ansible/hosts --extra-vars "cn=webapp123api"
Note
Add -vvv if you want to get the debug output.
You can change the Common Name (CN) of the certificate by updating the variable cn, as well as the VIP (Virtual IP) and application servers in the Ansible Playbook.
1 2 3 4 5 | vars:
cn: "webapp123api"
vip: "10.1.10.126"
servers:
- "10.1.20.126"
|
You can look at the details of the Ansible Playbook source on the GitHub repository.
- Login on BIG-IQ as david, go to Applications tab and check the application is displayed and analytics are showing.
- Navigate to Configuration > Local Traffic > Certificate Management > Certificates & Keys and check the certificate expiration date of
webapp123api.
5. With BIG-IQ and Venafi, the certificate can be automatically renewed prior the expiration date. This feature can be configured under the Third Party CA Management Venafi config under the section Automatic renewal.
Certificate Auto Renewal triggers an automatic renewal of certificates prior to expiration. You configure renewal by number of days prior to certificate expiration.
Certificate Auto Deployment allows BIG-IQ to automatically deploy renewed certificates to its managed BIG-IP systems. You configure the time of day at which the automatic deployment occurs.