Using the connector

This page describes how to manage the certificate lifecycle on Avi Vantage using the Avi UI or bash script.

Enroll a certificate

You can enroll a certificate using the Avi UI or bash script.

Enroll a certificate using the Avi UI

  1. Select Templates from the left-hand Applications menu.

    Avi Menu
  2. Select Security in the header bar.

  3. Select the SSL/TLS Certificates tab.

  4. Select the type of certificate from the Create menu.

    SSL/TLS Certificates Page
  5. In the New Certificate window, select CSR as the Type and complete the fields for generating a CSR.

    This step only applies to Application or Controller certificates.
    New Certificate Window
  6. In the Certificate Management Profile field, select the certificate management profile that you created earlier. You may update values of dynamic parameters if needed.

    This step only applies to application or controller certificates.

    The Enable OCSP Stapling box can be selected for additional functionality, but isn’t required. With OCSP stapling, the browser issues an OCSP request when a certificate has to be verified. This request contains the serial number of the certificate and is sent to the OCSP responder. The OCSP responder looks up the number in the CA database and fetches the corresponding revocation status of the certificate through a signed OCSP response.

    New Certificate Window
  7. Click Save.

  8. The enrolled certificate should appear on the SSL/TLS Certificates page. Make sure the status is green and when you hover over it there are no warnings or errors.

    If OCSP stapling isn’t enabled, the status for a certificate will still appear green, but when you hover the cursor over it, a rollover message will appear stating the OCSP stapling isn’t enabled.

    In SCM, enrolled certificates can be viewed on the Certificates  SSL Certificates page.

    SCM SSL Certificates Page

    Clicking on a certificate opens a popup that contains its details.

    SCM Certificate Details

Enroll a certificate using the bash script

  1. Open the enroll.sh script in your preferred editor.

  2. Specify CSR information in the certificate_params JSON object.

    Enroll scrip parameters

    You may also update the value of the algorithm or key_type key.

    Algorithm Key Type

    SSL_KEY_ALGORITHM_RSA

    The possible values are SSL_Key_2048_BITS and SSL_KEY_4096_BITS.

    SSL_KEY_ALGORITHM_EC

    The possible values are SSL_KEY_EC_CURVE_SECP256R1 and SSL_KEY_EC_CURVE_SECP384R1.

  3. Run the enrollment script.

    enroll.sh
  4. Once the enrollment is complete, confirm that the enrolled certificate is visible on the SSL/TLS Certificates page in Avi Vantage.

Renew a certificate

The Avi Controller automatically attempts to renew certificates. By default, the system generates expiration alert notifications 30 days, 7 days and 1 day before expiry. If the certificate management profile is configured for a certificate, the system will attempt a renewal on the last-but-one time interval. In the default setting, the renewal is attempted 7 days before the certificate expires.

You can also customize when expiry notifications are sent by changing the ssl_certificate_expiry_warning variable. See the Avi Vantage documentation for more information.

Revoke a certificate

Certificates are revoked either automatically once the expiry date has been reached, or manually in SCM. A revoked certificate will have a red icon in its status field.

View the logs

Logs record timestamped events that occur within the system. Once enabled, all logs for events that occur within the Avi Controller can be viewed on the Events page:

  1. In the Avi Vantage Controller, select Operations from the left-hand Applications menu.

    Avi Menu
  2. Select Events from the top menu.

    Event Logs Page