Automating the renewal of SSL certificates for F5 load balancers

Renewing SSL certificates before they expire is crucial to maintaining up-to-date encryption and avoiding disruption to traffic and services. The SSL client profile also needs to be updated with the renewed SSL certificates. By automating this process, you can avoid service disruptions, renew certificates in shorter intervals, adopt the latest security best practices, and save the time and effort needed to manually track renewal dates, plan updates, and perform the actual certificate updates.

Benefits

Automating the renewal of SSL certificates offers the following benefits:

Save the time required to renew the SSL certificates.
Certificates can have shorter validity periods, allowing you to get the latest security patches, practices, and features.
Reduce manual efforts and eliminate the chance for human error.

Scenario: Automated SSL certificate renewal

Scenario

Apex Global, a software as a service (SaaS) company, provides cloud-based products for clients. The company has implemented an automated system to manage the renewal of SSL certificates, ensuring uninterrupted and secure access to its SaaS platform. SSL certificates ensure that the connection between the client and Apex Global's SaaS platform is securely encrypted, specific to its customers. The system diligently monitors certificate expiration dates and automatically triggers the renewal process within a predefined window. The new certificate is procured from the Certificate Authority (CA) and deployed to the relevant load balancers. ApexGlobal then integrates the new certificate into the existing SSL client profile used by the server or load balancer. This automation guarantees uninterrupted service, diminishes manual workload, and bolsters overall security and compliance.

Before you begin

Because only network team members are entitled to these services, only a network team members can submit these requests.

The InfoSec team acquires new wildcard certificates, intermediate certificates and RSA keys from the Certificate Authority (DigiCert) and uploads them in the Password Vault. The team then shares the password ID with the Network team.

InfoSec team acquires the certificates and uploads them to the Password Vault

Automation workflow

The automation workflow consists of two stages:

Import the SSL certificates and key: Upload the .crt and .key files for the wildcard certificate and intermediate certificate to the F5 load balancer server, and then import the SSL certificates and key.
Update the profile: Update the testssl profile and customer's profile on the F5 load balancer server with the newly imported certificate chain and key.

To import the SSL certificates and key

The following image shows the stage 1 automation process:

Upload the certificates and key to F5 load balancer server

The network team submits a DWP request to upload and import the new SSL certificate.
The request triggers a Jenkins job.
The job performs the following actions:
1. Uploads the new certificate with chain and key to the F5 load balance of the selected data center.
2. Imports the certificate with chain and key to the location from where the load balancer can use them.
The job sends a notification to the network team on the successful completion.
If the job fails at the upload or import stage, it sends a failure notification to the network team.

To update the SSL client profile

The following image shows the stage 2 automation process:

Update the SSL client profile

The network team submits a DWP request.
The request triggers a Jenkins job.
The job updates the testssl profile and customer's profile on the F5 load balancer server with the newly imported certificate chain and key.
If the update status is successful, it performs the following steps:
1. Downloads the certificate from the customer's profile.
2. Tests the expiry to validate the certificate is updated successfully.
3. Notifies the network team.
4. Closes the request.
If the update status is failed, notifies the network team and closes the request.