Agent overview

The Sectigo ACME F5 Agent v2.0 uses the Certbot BIG-IP plugin to support more features, in addition to the default features of the plugin.

Certbot BIG-IP plugin default supported features

  • F5 appliances standalone and HA setups (active/standalone, active/standby, active/active)

  • Creates the client SSL profile based on the parent profile and attaches the certificate, key, and CA chain

The current version of the agent supports only pre-validated domains in Sectigo Certificate Manager (SCM). This means that all domains for which certificates are requested must go through Domain Control Validation (DCV). Instructions for the DCV process can be found in the SCM administrator’s guide.

Sectigo ACME F5 Agent v2.0 plugin supported features

  • Payment Card Industry (PCI) compliance - private keys are generated on F5 with password protection

  • Support for a custom parent profile

  • Automatic SSL enablement on the virtual servers of F5 using the new client SSL profile(s)

  • Auto-renewal and key management of the SSL/TLS certificates on multiple F5 appliances

  • Support for both the RSA and ECDSA key types (currently supports only the curve secp256r1)

  • Support for multi-domain certificates and wildcard certificates

  • Custom log levels

  • The ability to enable certificate management on specific virtual servers

  • Support for Server Name Identification (SNI)

Sectigo ACME F5 Agent

Prerequisites

The agent requires the following prerequisite conditions satisfied before execution:

  • Python 3.6 or later

  • pip3

  • A new account for the organization is created in SCM (contact Sectigo Sales Team)

  • The organization registered with SCM

  • Domains created, delegated and pre-validated with Sectigo backend

  • The ACME service is enabled for that account

  • An ACME account registered for the organization

  • See ACME integration guide for enterprise customers for instructions on obtaining the artifacts (the ACME server URL and External Account Binding (EAB) values) to run the agent. Contact your Sectigo account manager if need further information.

  • A Linux client with root privileges to install and manage agent

  • Network access to the F5 appliance(s) from your Linux client

  • F5 credentials for agent authentication to the appliances

  • Operating systems:

    • CentOS 7.3/7.7/7.9/8.3

    • Ubuntu 20.04

    • RHEL 7/8

  • F5 Big-IP 13.x and higher

    The agent was tested on F5 BIG-IP version 16.x.

Agent configuration requirements

During the creation of an ACME account, the following authentication details are provided in SCM. This information should be copied and saved for agent configuration. It is required for agent registration with the Sectigo ACME server.

As part of the package, a sample env file is provided for your reference. The placeholder values provided in the file should be replaced with the values received from SCM during the ACME account registration.

The ACME account values are required only during the first-time initialization. Once the agent is registered successfully with the Sectigo ACME Server, the agent uses the authentication token created during the initialization for subsequent certificate management activities.

Sectigo ACME account details

  • ACME server endpoint URL

  • External Account Binding (EAB) Key ID

  • EAB HMAC key

  • Network access from the Linux client machine to connect to the ACME server URL and F5 appliance(s).

F5 appliance(s) and certificate details for the YAML file

  • Certificate Folder Name

  • F5 management IP address and port

  • Signature algorithm key type and size

  • Certificate common name

  • SAN values (multi-domain support)

  • HA Group name (optional)

  • Partition name

  • Virtual server Name

  • F5 user credentials (optional)

  • SSL parent profile name

  • Old client SSL profile (if specified, it will be replaced with the new client SSL profile) if SNI is not enabled.