You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+31-36Lines changed: 31 additions & 36 deletions
Original file line number
Diff line number
Diff line change
@@ -31,24 +31,16 @@
31
31
32
32
## Overview
33
33
34
-
The F5 Orchestrator supports three different types of certificates stores with the capabilities for each below:
35
-
36
-
- CA Bundles
37
-
- Discovery
38
-
- Inventory*
39
-
- Management (Add and Remove)
40
-
- Web Server Device Certificates
41
-
- Inventory*
42
-
- Management (Add, but replacement/renewal of existing certificate only)
43
-
- SSL Certificates
44
-
- Discovery
45
-
- Inventory*
46
-
- Management (Add and Remove)
47
-
48
-
*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores.
34
+
The f5-rest-orchestrator orchestrator extension manages various types of certificates on a F5 Big IP device (version 15 or later). TLS certificates, CA bundles, and the certificate protecting the administrative website can all be managed with this integration within the scope described in the sections below. One important note, this integration DOES NOT handle high availability (HA) failover between primary and secondary nodes. If syncing between primary and secondary nodes is desired, this must either be handled within your F5 Big IP instance itself, or you can set up a Keyfactor Command certificate store for each node (primary and secondary) and manage each separately.
49
35
50
36
The F5 Universal Orchestrator extension implements 3 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types. Descriptions of each are provided below.
51
37
38
+
-[F5 SSL Profiles REST](#F5-SL-REST)
39
+
40
+
-[F5 WS Profiles REST](#F5-WS-REST)
41
+
42
+
-[F5 CA Profiles REST](#F5-CA-REST)
43
+
52
44
53
45
## Compatibility
54
46
@@ -69,16 +61,21 @@ An administrator account must be set up in F5 to be used with this orchestrator
69
61
70
62
## Certificate Store Types
71
63
72
-
To use the F5 Universal Orchestrator extension, you **must** create the Certificate Store Types required for your usecase. This only needs to happen _once_ per Keyfactor Command instance.
64
+
To use the F5 Universal Orchestrator extension, you **must** create the Certificate Store Types required for your use-case. This only needs to happen _once_ per Keyfactor Command instance.
73
65
74
66
The F5 Universal Orchestrator extension implements 3 Certificate Store Types. Depending on your use case, you may elect to use one, or all of these Certificate Store Types.
75
67
76
68
### F5-SL-REST
77
69
78
-
79
70
<details><summary>Click to expand details</summary>
80
71
81
72
73
+
The F5-SL-REST certificate store type manages F5 Big IP TLS certificates. Renewals of bound certificates is supported, but adding new bindings for new or replacement certificates is not.
74
+
75
+
76
+
77
+
78
+
82
79
83
80
84
81
#### Supported Operations
@@ -94,7 +91,7 @@ The F5 Universal Orchestrator extension implements 3 Certificate Store Types. De
94
91
#### Store Type Creation
95
92
96
93
##### Using kfutil:
97
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
94
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
98
95
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
99
96
<details><summary>Click to expand F5-SL-REST kfutil details</summary>
100
97
@@ -176,16 +173,20 @@ the Keyfactor Command Portal
<details><summary>Click to expand details</summary>
187
182
188
183
184
+
The F5-WS-REST certificate store type manages the TLS certificate bound to the F5 administration website. While replacing the existing website certificate is supported, adding a new certificate if one is not already present is not due to F5 limitations.
185
+
186
+
187
+
188
+
189
+
189
190
190
191
191
192
#### Supported Operations
@@ -201,7 +202,7 @@ the Keyfactor Command Portal
201
202
#### Store Type Creation
202
203
203
204
##### Using kfutil:
204
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
205
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
205
206
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
206
207
<details><summary>Click to expand F5-WS-REST kfutil details</summary>
207
208
@@ -282,16 +283,20 @@ the Keyfactor Command Portal
<details><summary>Click to expand details</summary>
293
292
294
293
294
+
The F5-CA-REST certificate store type manages F5 Big IP CA certificate bundles. Only custom CA bundles are supported by this integration. The default ""ca-bundle"" CA bundle under the "Common" partition is **not** supported, as F5's REST API endpoints will not return certificates from this bundle.
295
+
296
+
297
+
298
+
299
+
295
300
296
301
297
302
#### Supported Operations
@@ -307,7 +312,7 @@ the Keyfactor Command Portal
307
312
#### Store Type Creation
308
313
309
314
##### Using kfutil:
310
-
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to created certificate store types.
315
+
`kfutil` is a custom CLI for the Keyfactor Command API and can be used to create certificate store types.
311
316
For more information on [kfutil](https://github.com/Keyfactor/kfutil) check out the [docs](https://github.com/Keyfactor/kfutil?tab=readme-ov-file#quickstart)
312
317
<details><summary>Click to expand F5-CA-REST kfutil details</summary>
@@ -539,12 +543,9 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
539
543
</details>
540
544
541
545
542
-
543
546
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
@@ -640,12 +641,9 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
640
641
</details>
641
642
642
643
643
-
644
644
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
645
645
646
646
647
-
648
-
649
647
</details>
650
648
651
649
<details><summary>F5 CA Profiles REST (F5-CA-REST)</summary>
@@ -670,7 +668,7 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
670
668
| Category | Select "F5 CA Profiles REST" or the customized certificate store name from the previous step. |
671
669
| Container | Optional container to associate certificate store with. |
672
670
| Client Machine | The server name or IP Address for the F5 device. |
673
-
| Store Path | Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", |
671
+
| Store Path | Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is "Common/BundleName", it must be entered as "Common/BundleName" and not "common/bundlename", |
674
672
| Orchestrator | Select an approved orchestrator capable of managing `F5-CA-REST` certificates. Specifically, one with the `F5-CA-REST` capability. |
675
673
| PrimaryNode | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
676
674
| PrimaryNodeCheckRetryWaitSecs | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
@@ -704,7 +702,7 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
704
702
| Category | Select "F5 CA Profiles REST" or the customized certificate store name from the previous step. |
705
703
| Container | Optional container to associate certificate store with. |
706
704
| Client Machine | The server name or IP Address for the F5 device. |
707
-
| Store Path | Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is "Common", it must be entered as "Common" and not "common", |
705
+
| Store Path | Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is "Common/BundleName", it must be entered as "Common/BundleName" and not "common/bundlename", |
708
706
| Orchestrator | Select an approved orchestrator capable of managing `F5-CA-REST` certificates. Specifically, one with the `F5-CA-REST` capability. |
709
707
| Properties.PrimaryNode | Only required (and shown) if Primary Node Online Required is added and selected. Enter the Host Name of the F5 device that acts as the primary node in a highly available F5 implementation. Please note that this value IS case sensitive. |
710
708
| Properties.PrimaryNodeCheckRetryWaitSecs | Enter the number of seconds to wait between attempts to add/replace/renew a certificate if the node is inactive. |
@@ -741,12 +739,9 @@ Please refer to the **Universal Orchestrator (remote)** usage section ([PAM prov
741
739
</details>
742
740
743
741
744
-
745
742
> The content in this section can be supplemented by the [official Command documentation](https://software.keyfactor.com/Core-OnPrem/Current/Content/ReferenceGuide/Certificate%20Stores.htm?Highlight=certificate%20store).
746
743
747
744
748
-
749
-
750
745
</details>
751
746
752
747
## Discovering Certificate Stores with the Discovery Job
Copy file name to clipboardExpand all lines: docsource/content.md
+1-16Lines changed: 1 addition & 16 deletions
Original file line number
Diff line number
Diff line change
@@ -1,21 +1,6 @@
1
1
## Overview
2
2
3
-
The F5 Orchestrator supports three different types of certificates stores with the capabilities for each below:
4
-
5
-
- CA Bundles
6
-
- Discovery
7
-
- Inventory*
8
-
- Management (Add and Remove)
9
-
- Web Server Device Certificates
10
-
- Inventory*
11
-
- Management (Add, but replacement/renewal of existing certificate only)
12
-
- SSL Certificates
13
-
- Discovery
14
-
- Inventory*
15
-
- Management (Add and Remove)
16
-
17
-
*Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores.
18
-
3
+
The f5-rest-orchestrator orchestrator extension manages various types of certificates on a F5 Big IP device (version 15 or later). TLS certificates, CA bundles, and the certificate protecting the administrative website can all be managed with this integration within the scope described in the sections below. One important note, this integration DOES NOT handle high availability (HA) failover between primary and secondary nodes. If syncing between primary and secondary nodes is desired, this must either be handled within your F5 Big IP instance itself, or you can set up a Keyfactor Command certificate store for each node (primary and secondary) and manage each separately.
The F5-CA-REST certificate store type manages F5 Big IP CA certificate bundles. Only custom CA bundles are supported by this integration. The default ""ca-bundle"" CA bundle under the "Common" partition is **not** supported, as F5's REST API endpoints will not return certificates from this bundle.
The F5-SL-REST certificate store type manages F5 Big IP TLS certificates. Renewals of bound certificates is supported, but adding new bindings for new or replacement certificates is not.
The F5-WS-REST certificate store type manages the TLS certificate bound to the F5 administration website. While replacing the existing website certificate is supported, adding a new certificate if one is not already present is not due to F5 limitations.
Copy file name to clipboardExpand all lines: integration-manifest.json
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -254,7 +254,7 @@
254
254
"Capability": "F5-CA-REST",
255
255
"ServerRequired": true,
256
256
"ClientMachineDescription": "The server name or IP Address for the F5 device.",
257
-
"StorePathDescription": "Enter the name of the partition on the F5 device you wish to manage. This value is case sensitive, so if the partition name is \"Common\", it must be entered as \"Common\" and not \"common\",",
257
+
"StorePathDescription": "Enter the name of the partition followed by the name of the bundle separated by a / (i.e. Common/BundleName). This value is case sensitive, so if the partition name is \"Common/BundleName\", it must be entered as \"Common/BundleName\" and not \"common/bundlename\",",
0 commit comments