Add custom ACMEv2
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Add custom ACMEv2
Before you begin
You're going to need to provide the URL to your ACMEv2 server during configuration.
DNS provider details
The {{caname}} CA in Next-Gen Trust Security uses DNS Certificate Authority Authorization (CAA). Next-Gen Trust Security supports the following DNS providers. Review the section for your DNS provider to see what information Next-Gen Trust Security requires.
AWS Route 53
The account you use must have read, create, update, delete, and save permission.
- Access Key ID
- Secret Access Key
- Hosted Zone ID
Azure
The account you use must have read, create, update, delete, and save permission.
- Subscription ID
- Resource Group
- Client Secret
- Client ID
- Tenant ID
Note: For additional information on Azure DNS requirements, refer to Reference: Azure DNS.
Cloudflare
- For email and global API Key authentication type:
- Account email
- Global API Key
- For DNS and zone tokens authentication type:
- Edit zone API token
- Read zone API token
F5 Distributed Cloud Services
The API Token that is created for use with Next-Gen Trust Security on F5 Distributed Cloud should be in the same namespace where the DNS is hosted.
The DNS account you use must have read, write, update, and delete permissions for the API token.
- API Token
- Group Name
- XC Tenant Shortname
Google Cloud
The account you use must have read, create, update, delete, and save permission.
- Service account JSON file
Note: For additional information on Google Cloud DNS requirements, refer to Reference: Google Cloud DNS.
VSatellite
All ACMEv2 CAs require a VSatellite. If you already have a VSatellite installed, it will be available for you to select during configuration.
If not, you'll be able to set up a VSatellite during configuration. Just be sure to have a machine ready that meets the system requirements before you start.
Note: Some CAs might require additional setup to enable ACMEv2. See your CA’s documentation to determine if this applies to you.
To set up the CA
Step 1: Set up the connection
- Sign in to Next-Gen Trust Security.
- Click Configuration > Certificate Authorities.
- Click New > Can't find your CA? Add it!
- Enter a Name for this CA as it should appear in Next-Gen Trust Security.
- (Optional) Click Logo and upload an image to represent the CA. If you skip this field, a default logo is used.
- In Server URL, enter the ACMEv2 directory URL provided by your CA.
- Select a VSatellite. If you don’t have one deployed yet, click Deploy a VSatellite and follow the deployment steps.To take advantage of high availability for certificate issuance and management, select a primary VSatellite that belongs to a high availability group. The system will automatically choose a healthy VSatellite from that group to initiate operations. This helps ensure reliability even if one VSatellite becomes temporarily unavailable.
- Click Test Connection.
- After the connection succeeds, click Next.
Step 2: Enter additional information
- Enter the Email address of the person or team responsible for certificates issued by this CA.
- Review and agree to the Terms and Conditions.
- Click Next.
Step 3: Enter DNS provider details
- From the DNS Provider drop-down, select a provider.
- Complete the credential fields for your provider.
Tip (Feature Preview: Custom DNS provider option): The following capability is in preview. Contact Customer Support to enable it.
Select Custom to use any RFC 8555-compliant ACME server that supports DNS-01.
When you choose Custom, a JSON editor appears. Provide key–value pairs that match the variables documented for the go-acme LEGO project.
- Click Test Connection to validate DNS credentials, then Done.
After the configuration saves, you return to the Certificate Authorities page.
What's next
This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.