This documentation supports the 23.3 version of BMC Helix ITSM.To view an earlier version, select the version from the Product version menu.

Automating the renewal of SSL certificates for F5 load balancers

Renewing SSL certificates before they expire is crucial to maintaining up-to-date encryption and avoiding disruption to traffic and services. The SSL client profile also needs to be updated with the renewed SSL certificates. By automating this process, you can avoid service disruptions, renew certificates in shorter intervals, adopt the latest security best practices, and save the time and effort needed to manually track renewal dates, plan updates, and perform the actual certificate updates. 

Related topics

<Links to related topics, such as concepts or reference. For guidelines, see Linking.>

You can automate the renewal of wildcard domain SSL certificates on F5 Load Balancers across all data centers.

Benefits

Automating the renewal of SSL certificates offers the following benefits:

  • Save the time required to renew the SSL certificates.
    Certificates can have shorter validity periods, allowing you to get the latest security patches, practices, and features.
    Reduce manual efforts and eliminate the chance for human error.

Scenario: Automated SSL certificate renewal

Scenario

Apex Global, a software as a service (SaaS) company, provides cloud-based products for clients. The company has implemented an automated system to manage the renewal of SSL certificates, ensuring uninterrupted and secure access to its SaaS platform. SSL certificates ensure that the connection between the client and Apex Global's SaaS platform is securely encrypted, specific to its customers. The system diligently monitors certificate expiration dates and automatically triggers the renewal process within a predefined window. The new certificate is procured from the Certificate Authority (CA) and deployed to the relevant load balancers. ApexGlobal then integrates the new certificate into the existing SSL client profile used by the server or load balancer. This automation guarantees uninterrupted service, diminishes manual workload, and bolsters overall security and compliance. 

Before you begin

Because only network team members are entitled to these services, only a network team members can submit these requests. 

The InfoSec team acquires new wildcard certificates, intermediate certificates and RSA keys from the Certificate Authority (DigiCert) and uploads them in the Password Vault.  The team then shares the password ID with the Network team.

InfoSec team acquires the certificates and uploads them to the Password Vault

Automation workflow

The automation workflow consists of two stages:

  1. Import the SSL certificates and key: Upload the .crt and .key files for the wildcard certificate and intermediate certificate to the F5 load balancer server, and then import the SSL certificates and key.
  2. Update the profile: Update the testssl profile and customer's profile on the F5 load balancer server with the newly imported certificate chain and key.

To import the SSL certificates and key

The following image shows the stage 1 automation process:

Upload the certificates and key to F5 load balancer server

  1. The network team submits a DWP request to upload and import the new SSL certificate.
  2. The request triggers a Jenkins job.
  3. The job performs the following actions:
    1. Uploads the new certificate with chain and key to the F5 load balance of the selected data center.
    2. Imports the certificate with chain and key to the location from where the load balancer can use them.
  4. The job sends a notification to the network team on the successful completion.
  5. If the job fails at the upload or import stage, it sends a failure notification to the network team.

To update the SSL client profile

The following image shows the stage 2 automation process:

Update the SSL client profile

  1. The network team submits a DWP request.
  2. The request triggers a Jenkins job.
  3. The job updates the testssl profile and customer's profile on the F5 load balancer server with the newly imported certificate chain and key.
  4. If the update status is successful, it performs the following steps:
    1. Downloads the certificate from the customer's profile.
    2. Tests the expiry to validate the certificate is updated successfully.
    3. Notifies the network team.
    4. Closes the request.
  5. If the update status is failed, notifies the network team and closes the request.   

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*