F5 Venafi Solution for Enterprise Key and Certificate Management
Solution Overview
If you have deployed multiple BIG-IP systems to protect your business applications, you know how complex—and important—the certificate and key management process is. Certificates and keys play a critical role in securing data and application identity, and any mismanagement represents a significant risk to security and overall operations.
F5 has partnered with Venafi, the industry leader in machine identity protection, to develop a BIG-IQ based integrated solution that automates the certificate and key management lifecycle—creating certificate requests, retrieving and managing certificates and keys, and overseeing their distribution to multiple BIG-IP systems. This comprehensive solution enables our customers to simplify and centralize the control of this crucial process while maintaining high levels of security.
Solution Deployment
F5 BIG-IQ is at the core of this integrated solution, automating management of the entire key and certificate lifecycle. BIG-IQ establishes a secure control channel with Venafi Trust Protection Platform (TPP) for certificate signing requests and enrollment. Once the certificates are signed and received from Venafi TPP, BIG-IQ enables you to assign them to the virtual servers and securely provision them to BIG-IP systems.
Bill of materials
- F5 BIG-IQ, managing BIG-IP systems
- Venafi Trust Protection Platform (TPP)
Deployment Steps
Before beginning the detailed configuration, we recommend verifying the network reachability and hostname resolution of Venafi TPP server from BIG-IQ.
Step-1: Add Venafi as third party CA provider in BIG-IQ
- From the BIG-IQ management GUI, click on the Configuration tab and navigate to LOCAL TRAFFIC >> Certificate Management >> Third Party CA Management.
- Click the Create button and select Venafi as the CA provider.
- Enter the WebSDK URL and credentials to authenticate with Venafi.
- Once configured, click the Test Connection button to verify BIG-IQ can reach Venafi TPP server.
- Click the Save & Close button. The Venafi provider you added appears in the list.
- Click the Edit Policy link of the new Venafi provider you added.
- In the Policy Folder Path, type the path of the Venafi TPP where the certificates and keys are located, and then click the Get button.
- BIG-IQ populates the Policy Folder List with the policies to where BIG-IQ should send Certificate Signing Requests. At this point (or later), you have the option to rename the policies for easier identification by editing its nickname.
- Click the Save & Close button.
Step-2: Create a CSR to get a signed certificate from Venafi
- Navigate to LOCAL TRAFFIC >> Certificate Management >> Certificates & Keys and click on the Create button.
- Select ‘Venafi’ as the Issuer, and the policy folder.
- Specify the Certificate and Key properties.
- Click the Save & Close button. BIG-IQ generates the CSR and sends it to Venafi TPP for signed certificates and keys.
You can now assign this imported certificate to your managed BIG-IP VE devices.
Step-3: Assign the certificate and key to the application
- Navigate to LOCAL TRAFFIC >> Profiles. Click the Create button.
- Create a Client SSL Profile selecting the certificate and the key.
- Once configured, click the Save & Close button
- Navigate to LOCAL TRAFFIC >> Virtual Servers. Click the Create button.
- Create a virtual server and assign the client SSL profile.
- Once configured, click the Save & Close button
Step-4: Deploy the configuration to a target BIG-IP System
- Click on the Deployment tab and navigate to EVALUATE & DEPLOY >> Local Traffic & Network.
- In Deployment section, Click the Create button.
- Select the Virtual Server object and Target Device- BIG-IP system. Click the Deploy button.
- Click on the configuration tab and navigate to LOCAL TRAFFIC >> Virtual Servers. You will see the virtual server has been successfully deployed to the target BIG-IP system.
Summary
As this demonstration shows, BIG-IQ not only offers a centralized management solution for BIG-IP systems, it also provides a one stop solution for key and certificate lifecycle automation through its integration with Venafi TPP. This simple, easy-to-deploy solution enables you to deliver secure applications more quickly and effectively, whether on-premises or on cloud.