How the integration works

The agent conceals the complexity of performing private key generation on the F5 appliance, CSR creation, certificate issuance, installing the server certificate and CA chain to multiple remote F5 appliances and enabling SSL on the virtual servers.

The version 2.0 of the agent is PCI compliant, which means that the private key is protected using a password and generated on the F5 appliance. The private key is never exposed to the agent machine or outside F5 during the TLS handshake.

To do this, the agent provides a command-line interface start_acme.py that connects to F5 via the Certbot BIG-IP plugin and F5 REST API. The agent is packaged with the Certbot client to authenticate to Sectigo ACME server and request a new certificate from the Sectigo ACME server as per the YAML configuration file, automatically install the certificate on the F5 appliances, and enable a secure connection (SSL) on the virtual servers.

Once the script is started, the agent performs the following:

  • Reads every YAML configuration file from the /etc/sectigo directory

  • Connects to F5 using the IP address and credentials provided in the YAML file or in a separate credential file

  • Checks whether a certificate exists in the Common Name provided in the YAML file

  • Generates a password protected private and public key pair based on the key type/size provided in the YAML file. The agent uses a random password generator with software entropy to generate the password. Once a custom client SSL profile is created with the key, certificate, and password, the password is erased from memory. The password is not stored on disk, so it cannot be retrieved to export the private key from F5.

  • Generates a certificate signing request (CSR) on F5

  • Downloads the CSR to the Linux client machine

  • Connects to the Sectigo ACME server using the configured env variables

  • Registers the agent with the Sectigo ACME server

  • Submits the CSR to request a new certificate

  • Uploads the CA chain and new server certificate to F5

  • Creates a custom client SSL profile using the certificate, key and password

  • Enables SSL on the virtual servers using the configured client SSL profile

Every time a certificate is deployed, a status file (status) with the same name as the certificate configuration file is created in the /etc/sectigo/status directory.

Execute /opt/sectigo/start_acme.py as root to verify if it can create new (or renew) certificates and deploy certificates to F5.