Add Let's Encrypt (ACMEv2)
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
Add Let's Encrypt (ACMEv2)
Before You Begin
You're going to need a few things to complete the CA configuration.
DNS Provider Details
The Let's Encrypt CA in Next-Gen Trust Security uses DNS Certificate Authority Authorization (CAA). Next-Gen Trust Security supports the following DNS providers. Review the section for your DNS provider to see what information Next-Gen Trust Security requires.
AWS Route 53
The account you use must have read, create, update, delete, and save permission.
- Access Key ID
- Secret Access Key
- Hosted Zone ID
Azure
The account you use must have read, create, update, delete, and save permission.
- Subscription ID
- Resource Group
- Client Secret
- Client ID
- Tenant ID
Note: For additional information on Azure DNS requirements, refer to Reference: Azure DNS.
Cloudflare
- For email and global API Key authentication type:
- Account email
- Global API Key
- For DNS and zone tokens authentication type:
- Edit zone API token
- Read zone API token
F5 Distributed Cloud Services
The API Token that is created for use with Next-Gen Trust Security on F5 Distributed Cloud should be in the same namespace where the DNS is hosted.
The DNS account you use must have read, write, update, and delete permissions for the API token.
- API Token
- Group Name
- XC Tenant Shortname
Google Cloud
The account you use must have read, create, update, delete, and save permission.
- Service account JSON file
Note: For additional information on Google Cloud DNS requirements, refer to Reference: Google Cloud DNS.
VSatellite
All ACMEv2 CAs require a VSatellite. If you already have a VSatellite installed, it will be available for you to select during configuration.
If not, you'll be able to set up a VSatellite during configuration. Just be sure to have a machine ready that meets the system requirements before you start.
To Set up the CA
Step 1: Set up the Connection
- Sign in to Next-Gen Trust Security.
- Click Configuration > Certificate Authorities.
- Click New > Let's Encrypt (ACMEv2).
- Enter a Name for this CA as it should appear in Next-Gen Trust Security.
- From the Server URL drop-down, select either the production or staging URL.Note: These URLs are provided by Let's Encrypt and can't be changed. The Custom ACMEv2 CA in Next-Gen Trust Security allows you to enter custom server URLs if needed.
- Select a VSatellite. If you don’t have one deployed yet, click Deploy a VSatellite, and follow the steps to deploy a new VSatellite.To take advantage of high availability for certificate issuance and management, select a primary VSatellite that belongs to a high availability group. The system will automatically choose a healthy VSatellite from that group to initiate operations. This helps ensure reliability even if one VSatellite becomes temporarily unavailable.
- Click Test Connection.
- After the connection is successful, click Next.
Step 2: Enter Additional Information
- Enter the Email address of the person or team responsible for certificates issued by this CA.
- Review and agree to the Terms and Conditions.
- Click Next.
Step 3: Enter DNS Provider Details
- From the DNS Provider drop-down, select a DNS provider.
- Complete the credential fields for your provider.
- Click Test Connection.
- Click Done.
After completing the configuration, you're returned to the Certificate Authorities page.
What's Next
This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.