You can manage and automate certificate lifecycles on an F5 BIG-IP LTM directly from the DigiCert® Trust Lifecycle Manager web console. Trust Lifecycle Manager handles the certificate issuance and renewal requests and installs the issued certificates on the F5 virtual IPs.
To get started, you need to create certificate automation profiles in Trust Lifecycle Manager to specify which issuing CAs to use and types of certificates to issue from them.
You need available seat type licenses in your Trust Lifecycle Manager account for the types of certificates you will automate.
To automate certificate lifecycles on an F5 appliance, you need one or more of the following seat types, depending on the issuing CA.
Seat type | Issuing CA |
|---|---|
DigiCert® CA Manager | |
Any issuing CA outside of DigiCert® CA Manager1 | |
1. Issuing CAs outside of DigiCert® CA Manager require a CA connector in Trust Lifecycle Manager. | |
Follow these workflow steps to create a new certificate profile in Trust Lifecycle Manager:
From the Trust Lifecycle Manager, select Policies > Certificate profiles.
Select the button to Create profile from template.
Select an available base template to use to create the new profile. The choice of template depends on:
The CA to issue certificates from. For issuing CAs outside of CA Manager, you need a CA connector.
The use case for the certificates, including the type of end-entity to secure and how the certificates will be enrolled and deployed.
Importante
Different certificate types consume different seat types in Trust Lifecycle Manager. If you do not have available seats of that type in your account, the base template is disabled and you cannot create profiles from it.
Work through the profile creation wizard, selecting options for how to issue and manage certificates from this profile.
Select Next to move to the next screen, or Back to move back and review or change your selections on previous screens.
On the final screen, select Create to finish creating the new certificate profile.
For profile options specific to F5 appliances, review the following sections.
To create a certificate profile in Trust Lifecycle Manager, you start with a base template and customize it for your organization's digital trust needs.
The following table lists available base templates for managing certificates on an F5 appliance, including the applicable trust type(s), issuing CA, and required seat and CA connector types for each.
To manage certificates on an F5 appliance, make sure to select the following enrollment method for each certificate profile.
Enrollment method | Description |
|---|---|
| Use a DigiCert sensor to request and manage certificates. The same sensor used to add the F5 connector will manage the certificates on the connected appliance. The sensor coordinates the certificate enrollment process and installs the resulting certificates on the target endpoints on the F5 BIG-IP LTM. |
Enable the auto-renew option to prevent outages and make sure you always have valid certificates installed on your systems.
You specify how far in advance of expiration to submit renewal requests, and Trust Lifecycle Manager automatically renews and deploys each certificate to its installed location(s) at that time.
You enable auto-renewal in the Certificate options > Renewal options section of the profile configuration wizard. You can schedule auto-renewal for:
30 days before certificate expiration: This is the default option.
Custom schedule: Specify the number of days before expiration to renew certificates, and the specific time to submit the request.
In addition to account-wide notifications, you can enable notifications for certificates issued from a specific certificate profile.
To enable profile-specific notifications, make selections in the Additional options > Email configuration and notifications section of the profile configuration wizard:
Once you have one or more certificate profiles, you can start using Trust Lifecycle Manager to automate management of the certificates installed on your F5 BIG-IP LTM appliance: