Automating CLM for F5 Devices

Prerequisites

  1. Download:
  2. Copy both the JAR files to an AppViewX node as the installed user.
    • On-prem: Place the JAR files in the appviewx_dependencies/external_libs/ folder within the AppViewX installation directory.
    • SaaS: Place the JAR files in deps/external_libs where the cloud connector is installed.
  3. Ensure the following prerequisites are met:
    • Version Supported: v10.x , v11.x , v12.x , v13.x, v14.x, v15.x, v16.x, v17
    • IP Address/FQDN: IP address or FQDN
    • User Privilege: { Role : Admin , bash access is required } Username /Password, Credential List AppViewx/CyberArk
    • Enable Password: Not applicable
    • License Check: Yes
    • Services and Ports for AppViewX Communication: 22 and 443
    • Internet Access/Proxy if Required: Not applicable
    • Location from which Certificates are discovered if managed:
      • /config/filestore/files_d/<partition>_d/certificate_d/
      • /etc/httpd/conf/ssl.crt/
      • /etc/pki/tls/certs/
      • V10
      • /config/ssl/ssl.crt/
      • /etc/httpd/conf/ssl.crt/
      • /etc/pki/tls/certs
  4. Restart (delete) both the avx-vendors and appviewx-platform-gateway pods.

Onboarding a F5 Device

Onboarding a F5 Device

  1. Go to Menu > ADC+ > ASSET MANAGEMENT.
  2. Perform one of the followings:
    • Click Device Inventory, and then select Add (+) icon to navigate to the Device details page.
    • Click Onboard Device in the left navigation panel.
  3. In the Device details page, click the F5 icon.
  4. Enter or select the field information in the General information section.
    1. For the device type Device/Tenant:
      Table 1. General information Section for "Device/Tenant" Device Type - Field and Description Table
      Name Type Description Validation
      Device Type Drop-down When you select Device Type as Device/Tenant, you will need to provide the relevant device information in the following fields. NA
      *Module Check box LTM / BIG-IP DNS Module. NA
      VCMP Guest Check box To add a device as a vcmp guest, this checkbox should be checked. NA
      *Device name Text Unique name of the device to be added. Device names can only contain alphanumeric characters, '-' , '_' , '.' , '*' , '|' , '!' and spaces.
      Data center Text Data center name where the device is configured. The default value is Absecon. Data center name can only contain alphanumeric characters, '-' , '_' , '.' , '*' , ':' , '|' and spaces.
      *Communication Radio button Devices can be accessed using an IP address or FQDN. NA
      *IP Address Text The ipv4 address of the device. The IP address should be a valid IPv4 format.
      *FQDN Text The FQDN of the device. the FQDN should be in a valid format.
      *SSH Port Text Communication port of the device. Numbers only.
      *Cert Sync Radio button

      Managed: The certificates of the device can be managed.

      Monitored: The certificates of the device can be monitored.

      Ignored: The certificate sync can be ignored.

      		 NA
      DNSSEC sync Radio button By default, the Ignored option is selected. If your ADC acts as an authoritative DNS server, then select the Managed option to manage the DNSSEC Zones and Keys (KSK and ZSK).
      AppViewX Group Sync Check box This should be enabled if the user wants to sync the devices within the device group. NA
      LB Sync Checkbox By default, this option is enabled to discover and manage the load balancer configurations. If not required, you can disable this option.
      *: Mandatory fields
    2. For the device type Host:
      Table 2. General information Section for "Host" Device Type - Field and Description Table
      Name Type Description Validation
      Device Type Drop-down When you select Device Type as Host, you will need to provide the relevant device information in the following fields. NA
      Host Type Radio button Select any of the following host types:

      • vCMP Host - Enables the running of multiple virtual instances of BIG-IP software on a single physical device

      • rSeried Host - A host type representing the F5 rSeries hardware platform, designed for high-performance application delivery and security.

      • Velos Partition - A logical partition on the F5 VELOS platform, allowing for the segmentation of resources and management of multiple tenants within a single VELOS chassis.
      		 NA
      *Device name Text Unique name of the device to be added. Device names can only contain alphanumeric characters, '-' , '_' , '.' , '*' , '|' , '!' and spaces.
      Data center Text Data center name where the device is configured. The default value is Absecon. Data center name can only contain alphanumeric characters, '-' , '_' , '.' , '*' , ':' , '|' and spaces.
      *Communication Radio button Devices can be accessed using an IP address or FQDN. NA
      *IP Address Text The ipv4 address of the device. The IP address should be a valid IPv4 format.
      *FQDN Text The FQDN of the device. the FQDN should be in a valid format.
      *SSH Port Text Communication port of the device. Numbers only.
      *: Mandatory fields
    3. For the device type Controller:
      Table 3. General information Section for "Controller" Device Type - Field and Description Table
      Name Type Description Validation
      Device Type Drop-down When you select Device Type as Controller, you will need to provide the relevant device information in the following fields. NA
      *Device name Text Unique name of the device to be added. Device names can only contain alphanumeric characters, '-' , '_' , '.' , '*' , '|' , '!' and spaces.
      Data center Text Data center name where the device is configured. The default value is Absecon. Data center name can only contain alphanumeric characters, '-' , '_' , '.' , '*' , ':' , '|' and spaces.
      *Communication Radio button Devices can be accessed using an IP address or FQDN. NA
      *IP Address Text The ipv4 address of the device. The IP address should be a valid IPv4 format.
      *FQDN Text The FQDN of the device. the FQDN should be in a valid format.
      *SSH Port Text Communication port of the device. Numbers only.
      *: Mandatory fields
  5. Enter or select the field information in the Credentials section. You can select Manual Entry or Credentials List.
    Table 4. Credentials Section - Field and Description Table
    Name Type Description Validation
    *Credential type Dropdown
    Manual entry: The user should enter the username and password.
    Credential List: The user can select the credential details which are already stored in the credential inventory page. For more details on secure authentication, refer to Platform User Guide.
    		 NA
    *Username Text The user name of the device. NA
    *Password Text The password of the device. NA
    Token based authentication Toggle button To access the device REST API using token. NA
    *: Mandatory fields
  6. Enter or select the field information in the Secondary device information section.
    Table 5. Secondary device information Section - Field and Description Table
    Name Type Description Validation
    Secondary device information Radio button

    Auto detect: The user should select this option to auto-detect and add the peer devices in the inventory page.

    Manual entry: The user can use this option to add the peer devices manually.

    Ignore: The user can use this option to ignore the auto-detection of the peer devices.

    		 NA
  7. Click Save.

Validating the F5 Device Onboarding

  1. Go to Menu > ADC+ > ASSET MANAGEMENT > Device Inventory.
  2. From the device inventory page, search for the added F5 device name.

Onboarding Certificates for F5 Devices

There are two ways you can onboard certificates in AppViewX:
  • Via certificate discovery, for existing certificates
  • Via certificate enrollment, for new certifcates

Discovering Certificates for F5 Devices

Prerequisites

  • User Permission Required: Administrator/ Certificate Manager role
  • Terminal Access: Advanced Shell or TMSH

    Certificate discovery involves downloading certificate and key files from the device via SFTP. This method is accessible only to F5 users with Advanced Shell access. Refer to the relevant F5 article (https://my.f5.com/manage/s/article/K16621651) for detailed instructions.

    For users without Advanced Shell access, SFTP attempts will fail as explained in the aforementioned F5 article. In such instances where SFTP fails, certificates and key files are retrieved using SCP.

    F5 imposes restrictions on SCP access to specific paths listed in the scp.blacklist file. During discovery, encountering route limits in F5 may result in SCP download errors ("Unable to download") in the log. In such cases, two alternatives are available (and either can be chosen):
    • Use REST API(s) to download the files from the device by running:
      db.cert_metadata.update({"_id": "CERT_VENDOR_BASED_CONDITIONS"},{"$set": {map.adc_f5_discover_certs_with_rest" : "true"}});
    • Remove the following paths accessed via AppViewX from the scp.blacklist file path accessed from AppViewX:
      • /config/filestore/files_d/
      • /config/ssl/ssl.crt/
      • /config/ssl/ssl.key/
      • /config/httpd/conf/ssl.crt/
      • /config/httpd/conf/ssl.key/
    • Remove these paths and restart sshd based on the steps mentioned in the F5 article: https://my.f5.com/manage/s/article/K73463547

Discovering Certificates for F5 Devices

  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > Managed Devices Scan.
    The Discovery : Managed Devices Scan : Add Discovery page is displayed.
  2. To initiate a managed devices scan, enter/select the Discover Details.
    1. To specify the frequency at which the certificate discovery scan will be triggered, select the Discovery Run Type.
      Table 6. Discovery run type options
      Frequency Type Description
      On-demand The certificate discovery scan will be triggered manually by the user as and when required.
      Scheduled The certificate discovery scan will be triggered automatically at the specified time and date.
    2. Enter/Select the details for initiating an on-demand managed devices certificate discovery scan.
      Table 7. Field descriptions for on-demand discovery
      Frequency Type Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters

      OR

      Enter/Select the details for initiating a scheduled managed devices certificate discovery scan.

      Table 8. Field descriptions for scheduled discovery
      Frequency Type Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters
      Occurrence Type
      From the dropdown list, from the following options, select an occurrence frequency:
      • Daily
      • Weekly
      • Monthly
      • Yearly
      *Repeat On
      Note: This field is displayed only when Occurrence Type = Weekly.
      Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
      *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
      *Ends From the following options, select when the scheduled discovery is to end:
      • Never: Discovery never stops.
      • After: Discovery stops after the number of occurrences specified in the text field.
      • On: Discovery stops on the date selected using (Calendar widget).
      Summary Displays a summary of the selections made for scheduled discovery
      *: Mandatory fields
  3. In the Discover By section, enter/select the discovery details.
    Table 9. Instruction for discovering certificates
    Field Description
    *Discovery From From the dropdown list, select Managed ADCs.
    Devices window A list of all the managed ADC devices is displayed in the devices window.

    To select devices for certificate discovery, select the checkbox(es) for the required devices.

    The devices window has the following option:

    • Add as Favorites: You can mark your frequently used devices as favorites.
    • All: Select this to see the complete list of devices (unfiltered).
    • Selected: Select this to list only the selected devices.
    • Unselected: Select this to list only the unselected devices.
    • Delete: Delete the required devices from the favorites list.
    Execute Batches Sequentially To execute the discovery operation on the specified batches sequentially, select this checkbox.
    *Interval Between Batches If Execute Batches Sequentially is selected, enter an interval duration (in minutes) in this field. The sequential execution of the batches is spaced according to the interval value entered here.
    *Discovery Type From the following options, select one:
    • All Certificates: Select this to discover all certificates.
    • Certificates in Use: Select this to discover only those certificates that are associated with a service.
    *: Mandatory fields
  4. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A set of filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  5. In the After Discover section, enter/select the following details:
    Table 10. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select from one of the following options:
    • Do not move: The newly discovered certificates and their objects will not be moved to the inventory.
    • Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed.
    • Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From the dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

    *: Mandatory fields
  6. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.
    The discovered certificates are displayed in the certificate inventory.

Enrolling Certificates

Enrolling Server Certificates

  1. Go to (Menu) > CERT+ > CERTIFICATE ACTION > Enroll Certificate > Server
    The Enroll Server Certificate page is displayed.
  2. In the General Information section, from the dropdown list, select the required Assign Group.
  3. Enter the CA Details.
    Table 11. Field descriptions for the CA Details section
    Field Description
    *Certificate Authority From the dropdown list, select the certificate authority to request the certificate enrollment.
    Note: The IDnomic CA can be used for issuing certificates only in an on-prem deployment. Certificates issued through IDnomic CA can be renewed only if they are enrolled using a Registration Authority workflow.
    *Renew Automatically
    Note:
    To automatically renew this certificate:
    1. Turn on the Renew Automatically toggle.

      The *Start Renewing field is displayed.

    2. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the renewal process should start.

      Valid range for number of days: 1 to 120

    Note: The auto renew settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was renewed manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
    *Regenerate Automatically To automatically regenerate this certificate:
    1. Turn on the Regenerate Automatically toggle.

      The *Start Regenerating field is displayed.

    2. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start.

      Valid range for number of days: 1 to 120

      Note: This value can exceed the certificate's validity in case of short-lived certificates.
    Note:
    • This feature can be enabled only for valid certificates (not for revoked/suspended and expired certificates).
    • The auto regenerate settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was regenerated manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
    *CA Account From the dropdown list, select the CA account to which the certificate enrollment request will be submitted.
    Certificate Type From the dropdown list, select the required certificate type.
    *Division
    Note: This field is applicable only for Digicert CA.
    From the dropdown list, select the division with which the certificate will be enrolled.
    Certificate Profile
    Note: This field is displayed for only selected CAs. For the IDnomic CA, this field is displayed when only-CA setting is selected from the CA Account dropdown list.

    From the dropdown list, select the certificate profile with which the certificate must enroll.
    *RA Workflow
    Note: This field is displayed when Certificate Authority = IDnomic and a CA+RA setting is selected from the CA Accounts dropdown list.
    From the dropdown list, select the RA workflow that will be used for certificate enrollment.

    For the details of a workflow, you can check them on your CA portal on IDnomic.

    *Issuer Location
    Note: This field is applicable only for Google CA.

    From the dropdown list, select the issuer location associated with the CA account.
    *Issuer Name
    Note: This field is applicable only for Google CA.

    From the dropdown list, select the issuer name for issuing the certificate.
    *Connector Name Enter a friendly name for the CA connector.

    On saving this form, the name entered here will be displayed in the holistic view.
    Description
    Note: Character limit: 2000 characters

    Enter the description in this field.
    *CSR Generation
    Note: This field is applicable for all CAs except Amazon.

    From the following options, select the required method for generating the CSR:

    • AppViewX: Private key and CSR will be created in AppViewX based on CSR parameters given.
      Note: If auto regeneration has been enabled for this cerificate, AppViewX can be enforced as the default CSR generation source (irrespective of any selections made here) every time the certificate is regenerated. To do this, execute the following db script:
      db.cert_metadata.insertOne({"_id":"CERT_AUTO_REGENERATE_DEFAULT_APPVIEWX_CSR", "flag":true})
    • Upload CSR: You can upload a file that contains the CSR details. This source file will be used to populate the CSR parameters, which will then be submitted to the CA.
      1. Under CSR Generation, select Upload CSR.

        The Please paste your CSR field is displayed.

      2. From the Please paste your CSR field, select Browse.
      3. Navigate to the location of your CSR file, and click Open.
      4. Click Upload.
    • HSM:
      Note: This option is disabled/not displayed when Certificate Authority = Google, CSC Global, and DigiCert One.
      To generate the private key and the CSR, based on the CSR parameters given, in an HSM device:
      1. Under CSR Generation, select HSM.

      2. Fields for gathering your HSM-related inputs are displayed.

        Table 12. To generate the private key and the CSR, enter/select the following details:
        Field Description
        *Device Type From the dropdown list, from the following options, select the type of device on which the private key and the CSR will be generated:
        • HSM Devices
        • ADC Devices
        *Vendors
        Note: This field is applicable only when Device Type = ADC Devices.
        *Devices From the dropdown list, select the required HSM/ADC device.
        Note: This field is populated based on the Device Type and Vendors selected.
        *Key Handler Name
        Note: This field is applicable only when Device Type = HSM Devices.
        Enter the key handler name.
        *Key Reference Name
        Note: This field is applicable only when Device Type = ADC Devices.
        Enter the key reference name.
    • End Point:
      Note: This option is disabled when Certificate Authority = Google and CSC Global.
      Table 13. To generate the private key and the CSR in the selected end point device, enter the following inputs:
      Field Description
      Category From the following options, select the ADC device category:
      • ADC
      • Cloud
      • Server
      • Firewall
      Vendor From the dropdown list, select the vendor for the end point device.
      Note: The dropdown list for this field is populated based on the Category selected.
      *Devices This field lists the end point devices present in your environment that belong to the above selected Category and Vendor.

      From the dropdown list, select the end point device on which you want to generate the private key and the CSR.
      Tenant
      Note: This field is applicable only when Category = ADC.
      Enter the tenant ID.
      *Service name From the dropdown list, select the cloud service running on the selected cloud Devices.
      CSR Location
      Note: This field is applicable only when Category = Server.
      Partition
      Note: This field is applicable only when Category = Firewall.
      *CSR File Name Enter the name of the file that contains the CSR parameters.
      Note: Since the extension is already included in the field, ensure that you enter the file name without the file extension.
      Note: Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as CSR File Location.
      *Key File Name Enter the name of the file that contains the private key details.
      Note: Since the extension is already included in the field, ensure that you enter the file name without the file extension.
      Note: Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as Key File Location.
      *Certificate File Name
      Note: This field is displayed only when Category = Cloud.
      Enter the certificate file name.
      *Key vault
      Note: This field is displayed only when Category = Cloud, Vendor = Azure, and Service name = Key Vault (Azure).
      *Service
      Note: This field is displayed when Category = Server and Vendor = Microsoft Server.
      This dropdown list is populated based on the Device selected.

      From the options in the dropdown list, select the service.
      *Exchange Server
      Note: This field is displayed when Category = Server and Vendor = Microsoft Server.
      From the dropdown list, select the name of the MS Exchange server for which the certificate is being enrolled.
    *: Mandatory fields
  4. For the EJBCA certificate authority, enter/select the vendor details.
    Table 14. Field descriptions for the EJBCA Vendor Specific Details section
    Field Description
    * End Entity Profile Name From the dropdown list, select the end entity profile name.
    End entity user name Enter the name of the end user entity.
    * Issuer Common Name From the dropdown list, select the issuer common name.
    *Certificate Profile Name From the dropdown list, select the certificate profile name.
    *: Mandatory fields
  5. For the certificate being enrolled, enter the CSR Parameters.
    Note: For DigiCert One, all CSR parameters that are assigned static values in the certificate profile will be auto-populated and disabled for editing.
    Table 15. Field descriptions for the CSR Parameters
    Field Description
    Replace PSE File The Replace PSE File checkbox enables users to generate the CSR or private key in the Server. This checkbox is displayed only in the case described below:
    1. Select the CSR Generation radio button as Endpoint.
    2. Select Category as Server, Vendor as ABAP or Web Dispatcher The Profiles dropdown is the only other field displayed below it and is populated with a list of .pse file names.
    3. Select the required Profile from the dropdown. Based on the values selected, the fields in the CSR Parameters section are auto-populated.

    The Replace PSE File checkbox is disabled by default and the SAN details fields in CSR Parameters section are also disabled. Selecting the checkbox will make the SAN details enabled and allow for values to be updated.
    *Common Name Enter the certificate's common name.

    The common name is one of the key values of Certificate Signing Request (CSR) to be present in the certificate. For example, <appviewx>.

    Note: Constraints:
    • Character limit: 64 characters
    • No special characters allowed except en dash (_) and hyphen (-).
    Subject Alternative Name From the dropdown list, select the Subject Alternative Name category for the certificate being enrolled.

    In the corresponding field(s) displayed for the selection made, enter the required values.

    Note:
    • Multiple values must be separated by a comma.
    • After enrollment, the cumulative count of SANs is displayed in the certificate property pop-up window from the holistic view.
    *Organization The organization name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Organization Unit Organization Unit name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Locality The locality name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    State The state name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Country Country name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on configuration. It must be a 2-letter country code (for example, US, and so on).
    Note: For renewal of the certificate being enrolled, country name is required.
    Email Address Enter a valid email address of the person responsible for maintaining the certificate.
    *Validity To specify the validity of the certificate being enrolled:
    1. From the first dropdown list, select the number of days/months/years.
    2. From the second dropdown list, select the unit of the duration from the following values: Days/Months/Year.
      For example, if the validity of the certificate is 2 months:
      1. From the first dropdown list, select 2.
      2. From the second dropdown list, select Months.
    Challenge Password Challenge password is one of the CSR parameters to be present in the certificate. Password must contain at least one alphabet (uppercase and lowercase), one number, and one special character.
    Confirm Password Re-enter the password entered in the Challenge Password field.
    *Hash Function The Hash function with which the CSR has to be signed. Any information specific to any CA or vendor has to be covered in the Note section. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For Certificate Authority = HydrantID, irrespective of the hash function selected, by default, the CA returns a certificate with SHA256. Therefore, admins must restrict users from creating a certificate with a hash function other than SHA256. To accomplish this, create policy with a single hash value (SHA256).
    *Key Type The key type is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *Bit Length The bit length is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *: Mandatory fields
  6. In the Attachments section, upload any additional documents that are relevant to the enrollment of the certificate (for example, approval emails).
    Table 16. Field descriptions for the Attachments section
    Field Description
    Name Enter a name for the document. This need not be the actual name of the document; it can be an alternate name that will be used for reference only.
    Comments Enter any details relevant to the document being attached.
    Note: Character limit: 2000 characters
    Upload File To upload an attachment:
    1. Click Upload.
    2. Navigate to the location of the document to be uploaded.
    3. Select the document to be document and click Open.

      The selected document is uploaded and listed in the table displayed below these fields in the Attachments section.

      Tip: If you've uploaded multiple attachments, use the Search field to find the required one.
    *: Mandatory fields
  7. In the Certificate Attributes section, enter organization-specific values, for the certificate attributes and custom attributes for the issuing CA, that need to be mentioned along with the CSR.
    These values will not be a part of the certificate but will be available in the AppViewX inventory. For example, cost center.
    Note: This additional information can be used to filter certificate details in the inventory.
  8. Enter the relevant details in the Generic Fields. These are default fields for maintaining the IP address and device information, if required.
    Table 17. Field descriptions for the Generic Fields
    Field Description
    Device Name Enter the name of the device.
    Application IP Address Enter the IP address of the application.
    Tracking ID A free-form business alpha-numerical identifier, included in the audit logs, that may be used to correlate audit log entries (typically enrollment and revocation events)
    Certificate holder Email
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    An email address that may be used to send notifications to certificate holder depending on the notification policies configured for the requested workflow
    First name
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    First name (as a metadata) associated with the certificate to be enrolled
    Last name
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    Last name (as a metadata) associated with the certificate to be enrolled
    Organization
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    Organization name (as a metadata) associated with the certificate to be enrolled
    Comment
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    Additional information (as a metadata) associated with the certificate to be enrolled
    UUID
    Note: This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment.
    Universal Unique Identifier, or UUID, (as a metadata) associated with the certificate to be enrolled
  9. In the Vendor-Specific Details section, enter the CA-specific details. Some of the CAs will expect additional details other than CSR parameters as meta data for their operational purposes. Details common to all CAs will be taken from the AppViewX user information of the logged in user.
    Table 18. Field descriptions for the common vendor specific details
    Field Description
    Certificate ID The Certificate ID is auto-populated based on the value entered in the Common Name field (in the CSR Parameters section).
    • The Certificate ID can be modified by the user.
    • If the user edits the Certificate ID, any change to the Common Name will not reflect in the Certificate ID.
    • If the user deletes the Certificate ID, the value of the Certificate ID field is set to the Common Name suffixed with the timestamp.
    Table 19. Field descriptions for the CSC Global CA vendor specific details
    Field Description
    *Server Type From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
    *Business Unit Enter the name of the business unit that is requesting the certificate.
    *Organization Contact Enter the email address of the contact in the organization requesting the certificate.
    *Phone Number Enter the phone number of the Organization Contact in the followung format: +<country code>-<phone number>.
    Note: For CSC Global, the phone number is not fetched from the AppViewX user information because of the difference in format.
    *Domain Control Validation Type From the following options in the dropdown list, select the method CSC Global will use for authentication before issuing a certificate:
    • EMAIL: CSC Global will send an approval/confirmation request to the registered email ID. Certificate issuance happens only after approval is received.
    • CNAME: On requesting certificate issuance, CSC Global will provide you with a dynamic string. Add a CNAME record with this string to your DNS settings. CSC will issue the certificate requested only after validating this CNAME record.
    Note: CSC Global will perform domain validation for all CLM actions.
    *: Mandatory fields
    Table 20. Field descriptions for the DigiCert CA vendor specific details
    Field Description
    *Server Type From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
    *Payment Method From the dropdown list, select one from the following payment methods:
    • Bill To Account Balance: This option allows you to pay for the DigiCert certificate using the available balance in your DigiCert account.
      Note: Ensure that the option to bill to account balance is enabled for the account and the account has sufficient balance.
    • Bill To Default Credit Card: This option will charge the cost of the DigiCert certificate to the credit card set as the default payment method in your DigiCert account.
      Note: Ensure that a credit card is configured as the default payment method for your account.
    Additional Email Enter email addresses that will receive notifications for renewals, reissues, and duplicates for the specified order.
    Renewal Message Enter a custom message that will be sent with the renewal notifications.
    Notes Enter a custom note that will be sent with the order.
    *: Mandatory fields
    Table 21. Field descriptions for the DigiCert One CA vendor specific details
    Field Description
    Seat ID Enter the seat ID that will be assigned to the certificate being enrolled.
    Seat ID is a unique user-defined value assigned to identify an entity in the DigiCert One account. The seat ID for a certificate is used for certificate enrollment, renewal, and regeneration.
    Note: The Seat ID field is displayed only if the Allow Seat ID during enrollment option is selected for the CA account. In this case, the value entered in the Seat ID field is now a unique identifier for the certificate being enrolled. Otherwise, a common seat ID is assigned to all certificates enrolled for the selected CA account
    Table 22. Field descriptions for the GlobalSign MSSL CA vendor specific details
    Field Description
    *Profile name A profile name is defined at the time of creating an account on the GlobalSign MSSL portal. AppViewX retrieves all your profile names from the GlobalSign MSSL portal and populates them in this dropdown list.

    From the dropdown list, select the profile name the enrolled certificate should be mapped to.
    *: Mandatory fields
    Table 23. Field descriptions for the Hydrant ID CA vendor specific details
    Field Description
    Expiry Emails Enter a comma-separated list of email addresses that will receive the certificate expiry notification from HydrantID.
    Note: HydrantID CA does not accept updates to these email addresses during the renewal process.
    Table 24. Field descriptions for the Nexus CA vendor specific details
    Field Description
    Procedures The Procedures dropdown list will display only the procedures mapped to the server and the default procedure. From the dropdown list, select the required procedure.
  10. Click Add.
    Once the details are added, you will be redirected to a page where the CSR and CA details are added as a connector. This page is called the holistic view and from here, any action on the certificate can be performed including provisioning the certificate to a server.
  11. On the holistic view, click the Submit button to trigger the request.
    The submit action is triggered and the Submit dialog box is displayed.
  12. Enter your comments in the text field and click Yes.
    If the approval required option is enabled in the CA policy, the request is moved to the Approve and Implementation stages.
  13. Click Approve to proceed.
    The Approve dialog box is displayed.
  14. Enter your comments in the text field.
    Note: If the workflow request has to be approved automatically in the future, click the Schedule later button .
  15. Click Yes.
    Once the approval process is complete, the Implement option is displayed in the holistic view.
  16. Click Implement.
    The Implement dialog box is displayed.
  17. Enter your comments in the text field.
    If the workflow request has to be implemented automatically in the future, click Schedule later .
  18. Click Yes.
    CSR Submission to CA is in progress.Once the CSR submission is successful, the request state will be changed to Submit certificate - retrieval in progress state.

    If the enrollment request is compliant with conditions defined and auto-approval enabled in the targeted CA, the certificate will be fetched in a few seconds.

    If auto-approval disabled in the targeted CA, you will have to be logged into the CA and approve the request.

    Once the certificate is issued successfully, the certificate will be retrieved into AppViewX. You can now push the enrolled certificate(s) to the required endpoint.

    Important: For CSR generation at endpoint, for Category = Server and Vendor = LinuxServer, in the endpoint application connector created after the certificate is issued, the following fields (explained here) are auto-populated/enabled and cannot be modified:
    • Category
    • Vendor
    • Key Location
    • Private key in Device
    Additionally, the available profiles are filtered for the device profile selected at the time of certificate enrollment here.

Enrolling Client Certificates

  1. Go to (Menu) > CERT+ > CERTIFICATE ACTION > Enroll Certificate > Client
    The Enroll Client Certificate page is displayed.
  2. In the General Information section, from the dropdown list, select the required Assign Group.
  3. Enter/Select the CA Details.
    Table 25. Field descriptions for the CA Details section
    Field Description
    *Certificate Authority
    Note: Depending on the CA selected, the rest of the fields will be displayed.
    From the dropdown list, select the required certificate authority (CA).
    Note: For enrolling certificates with policies using Google CA, consider the following points:
    Certificate Enrollment - Strict Policy
    • The Common Name will not be pre-filled from the policy.
    • The following validation will be seen based on strict policy guidelines.
      • If the Common Name’s domain name is not present in the Allowed Domain Name list, an error validation will be shown upon saving the policy details.
    Certificate Enrollment - Suggestive Policy
    • The Common Name will not be pre-filled from the policy
    • The following validation will be seen based on strict policy guidelines.
      • If the Common Name’s domain name is not present in the Allowed Domain Name list, the non-compliant policy will be created.
      • If the Common Name’s domain name is present in the Blocked Domain Name list, an error validation will be shown upon saving the policy details.
    Note: For Certificate Authority = EJBCA, an additional set of fields, Vendor specific details is displayed after the CA Details section. Instructions on specifying the vendor specific details are covered in step 4.
    Note: The IDnomic CA can be used for issuing certificates only in an on-prem deployment. Certificates issued through IDnomic CA can be renewed only if they are enrolled using a Registration Authority workflow.
    *Renew Automatically
    Note:
    To automatically renew this certificate:
    1. Turn on the Renew Automatically toggle.

      The *Start Renewing field is displayed.

    2. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the renewal process should start.

      Valid range for number of days: 1 to 120

    Note: The auto renew settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was renewed manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
    *Regenerate Automatically To automatically regenerate this certificate:
    1. Turn on the Regenerate Automatically toggle.

      The *Start Regenerating field is displayed.

    2. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start.

      Valid range for number of days: 1 to 120

      Note: This value can exceed the certificate's validity in case of short-lived certificates.
    Note:
    • This feature can be enabled only for valid certificates (not for revoked/suspended and expired certificates).
    • The auto regenerate settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was regenerated manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
    *CA Account To which account the enrollment request to be submitted.
    Certificate Type Select the desired certificate type from the dropdown list.
    *Division Select the division to which the certificate must be enrolled.
    Note: This field will be shown only for Digicert CA.
    Certificate Profile
    Note: This field is applicable only for AppViewX CA and Google CA. For the IDnomic CA, this field is displayed when only-CA setting is selected from the CA Account dropdown list.

    From the dropdown list, select the profile with which the certificate must enroll.
    *RA Workflow
    Note: This field is displayed when Certificate Authority = IDnomic and a CA+RA setting is selected from the CA Accounts dropdown list.
    From the dropdown list, select the RA workflow that will be used for certificate enrollment.

    For the details of a workflow, you can check them on your CA portal on IDnomic.

    *Issuer Location Select the location of the issuer CA from the dropdown.
    Note: This is applicable only for Google CA.
    *Issuer Name Select the name of the issuer CA from the dropdown.
    Note: This is applicable only for Google CA.
    *Connector Name Enter the friendly name for Certificate Authority connector in this field which will be displayed in the holistic view on saving this form.
    Description Enter the description in this field.
    Note: Character limit: 2000 characters
    *CSR Generation Select the CSR generation option as required.

    Options are:

    • UploadCSR - Uploaded CSR will be taken as a source to populate CSR parameters and submit to CA.
      • Click the Browse button, and then the file.
      • Click the Upload button to upload the selected file.
      • On uploading CSR successfully, CSR parameters are automatically filled in the CSR section.
    • HSM - Private key and CSR will be created in the selected HSM device based on CSR parameters given.
      Field Description
      *Device Type Select the type of device as required.

      The possible options are:

      • HSM Devices
      • ADC Devices.
      *Vendors Select the desired vendors from the dropdown list.

      The possible vendors are when device selected as HSM Devices:

      • Fortanix
      • PKCS11

      The possible vendors are when device selected as ADC Devices:

      • Safenet
      • Thales
      • Fortanix
      *Devices Select the desired device from the dropdown list.
      Note:
      • By default, the None Selected option is enabled.
      • When Device Type = ADC - User chooses from the list based on the vendors field selection.
      *Key Handler Name Enter the desired handler name in the field.
      *Key Reference Name Enter the Key Reference Name.
      Note: This field appears only when Device Type = ADC Devices.

    • End Point - Private key and CSR will be created in the selected End Point device based on CSR parameters given.

      Table 26. To generate the private key and the CSR in the selected end point device, enter/select the following inputs:
      Field Description
      Category From the following options, select the ADC device category:
      • ADC
      • Cloud
      • Server
      • Firewall
      Vendor From the dropdown list, select the vendor for the end point device.
      Note: The dropdown list for this field is populated based on the Category selected.
      *Devices This field lists the end point devices present in your environment that belong to the above selected Category and Vendor.

      From the dropdown list, select the end point device on which you want to generate the private key and the CSR.
      Tenant
      Note: This field is applicable only when Category = ADC.
      Enter the tenant ID.
      *Service name From the dropdown list, select the cloud service running on the selected cloud Devices.
      CSR Location
      Note: This field is applicable only when Category = Server.
      Partition
      Note: This field is applicable only when Category = Firewall.
      *CSR File Name Enter the name of the file that contains the CSR parameters.
      Note: Since the extension is already included in the field, ensure that you enter the file name without the file extension.
      Note: Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as CSR File Location.
      *Key File Name Enter the name of the file that contains the private key details.
      Note: Since the extension is already included in the field, ensure that you enter the file name without the file extension.
      Note: Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as Key File Location.
      *Certificate File Name
      Note: This field is displayed only when Category = Cloud.
      Enter the certificate file name.
      *Key vault
      Note: This field is displayed only when Category = Cloud, Vendor = Azure, and Service name = Key Vault (Azure).
      *Service
      Note: This field is displayed when Category = Server and Vendor = Microsoft Server.
      This dropdown list is populated based on the Device selected.

      From the options in the dropdown list, select the service.
      *Exchange Server
      Note: This field is displayed when Category = Server and Vendor = Microsoft Server.
      From the dropdown list, select the name of the MS Exchange server for which the certificate is being enrolled.
    • AppViewX - Private key and CSR will be created in AppViewX based on CSR parameters given.
      Note: If auto regeneration has been enabled for this cerificate, AppViewX can be enforced as the default CSR generation source (irrespective of any selections made here) every time the certificate is regenerated. To do this, execute the following db script:
      db.cert_metadata.insertOne({"_id":"CERT_AUTO_REGENERATE_DEFAULT_APPVIEWX_CSR", "flag":true})
    Note: For all CA types except Amazon, you have the option to generate the CSR.
    *: Mandatory fields
  4. For the EJBCA certificate authority, enter/select the vendor details.
    Table 27. Field descriptions for the EJBCA Vendor Specific Details section
    Field Description
    * End Entity Profile Name From the dropdown list, select the end entity profile name.
    End entity user name Enter the name of the end user entity.
    * Issuer Common Name From the dropdown list, select the issuer common name.
    *Certificate Profile Name From the dropdown list, select the certificate profile name.
    *: Mandatory fields
  5. Enter/Select the CSR Parameters.
    Table 28. Field descriptions for the CSR Parameters section
    Field Description
    *Common Name The common name is one of the key values of Certificate Signing Request (CSR) to be present in the certificate. For example, <appviewx>.

    No special characters allowed except en dash (_) and hyphen (-).
    Subject Alternative Name You can see the count of subject alternative names (SAN) available for a certificate in the CSR parameter section, inventory grid, and CA connector page.

    Select the subject alternative subject name from the dropdown list.

    The possible options are,

    • Select all
    • DNS
    • IP Address.
    Note:
    • Multiple values must be separated by a comma.
    • The cumulative count SANs appears in the certificate property pop-up window from the holistic view.
    *Organization The organization name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Organization Unit Organization Unit name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Locality The locality name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    State The state name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *Country Country name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on configuration. It must be a 2-letter country code (for example, US, and so on).
    Email Address The email contact details of the person responsible for maintaining the certificate. Enter the valid e-mail address.
    *Validity Enter the number in this field and select the entered validity list to be in Days, Months, and Years from the dropdown list.
    Challenge Password Challenge password is one of the CSR parameters to be present in the certificate. Password must contain at least one alphabet (uppercase and lowercase), one number, and one special character.
    Confirm Password Reenter the same password to confirm that is entered in the Challenge Password field.
    *Hash Function The Hash function with which the CSR has to be signed. Any information specific to any CA or vendor has to be covered in the Note section. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For Certificate Authority = HydrantID, irrespective of the hash function selected, by default, the CA returns a certificate with SHA256. Therefore, admins must restrict users from creating a certificate with a hash function other than SHA256. To accomplish this, create policy with a single hash value (SHA256).
    *Key Type The key type is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *Bit Length The bit length is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *: Mandatory fields
  6. In the Attachments section, upload any additional documents that are relevant to the enrollment of the certificate (for example, approval emails).
    Table 29. Field descriptions for the Attachments section
    Field Description
    Name Enter the alternate name for the document to be uploaded.
    Comments Enter the comments in this field.
    Note: Character limit: 2000 characters
    Upload File Click the Upload button to select the file.
  7. Other than the CSR fields, you can add organization-specific values along with CSR. These values will not be part of the certificate but will be available in the AppViewX inventory. For example, cost center. Inventory can be filtered based on these attributes as well. In the Certificate Attributes can be added under Administration > certificate attributes, it will be reflected on the enrollment page:
  8. Enter the relevant details in the Generic Fields. These are default fields for maintaining the IP address and device information, if required.
    Table 30. Field descriptions for the Generic Fields
    Field Description
    Device Name Enter the name of the device.
    Application IP Address Enter the IP address of the application.
    Tracking ID A free-form business alpha-numerical identifier, included in the audit logs, that may be used to correlate audit logentries (typically enrollment and revocation events)
    Certificate holder Email This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment. An email address that may be used to send notifications to certificate holder depending on the notification policies configured for the requested workflow
    First name This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment. First name (as a metadata) associated with the certificate to be enrolled
    Last name This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment. Last name (as a metadata) associated with the certificate to be enrolled
    Organization This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment. Organization name (as a metadata) associated with the certificate to be enrolled
    Comment This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment. Additional information (as a metadata) associated with the certificate to be enrolled
    UUID This field is displayed only when a CA setting with a registration authority is selected for certificate enrollment. Universal Unique Identifier, or UUID, (as a metadata) associated with the certificate to be enrolled
  9. In the Vendor-Specific Details section, enter the CA-specific details. Some of the CAs will expect additional details other than CSR parameters as meta data for their operational purposes. Details common to all CAs will be taken from the AppViewX user information of the logged in user.
    Table 31. Field descriptions for the common vendor specific details
    Field Description
    Certificate ID The Certificate ID is auto-populated based on the value entered in the Common Name field (in the CSR Parameters section).
    • The Certificate ID can be modified by the user.
    • If the user edits the Certificate ID, any change to the Common Name will not reflect in the Certificate ID.
    • If the user deletes the Certificate ID, the value of the Certificate ID field is set to the Common Name suffixed with the timestamp.
    Table 32. Field descriptions for the DigiCert CA vendor specific details
    Field Description
    *Server Type From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
    *Payment Method From the dropdown list, select one from the following payment methods:
    • Bill To Account Balance: This option allows you to pay for the DigiCert certificate using the available balance in your DigiCert account.
      Note: Ensure that the option to bill to account balance is enabled for the account and the account has sufficient balance.
    • Bill To Default Credit Card: This option will charge the cost of the DigiCert certificate to the credit card set as the default payment method in your DigiCert account.
      Note: Ensure that a credit card is configured as the default payment method for your account.
    Additional Email Enter email addresses that will receive notifications for renewals, reissues, and duplicates for the specified order.
    Renewal Message Enter a custom message that will be sent with the renewal notifications.
    Notes Enter a custom note that will be sent with the order.
    *: Mandatory fields
    Table 33. Field descriptions for the Hydrant ID CA vendor specific details
    Field Description
    Expiry Emails Enter a comma-separated list of email addresses that will receive the certificate expiry notification from HydrantID.
    Note: HydrantID CA does not accept updates to these email addresses during the renewal process.
    Table 34. Field descriptions for the Nexus CA vendor specific details
    Field Description
    Procedures The Procedures dropdown list will display only the procedures mapped to the server and the default procedure. From the dropdown list, select the required procedure.
  10. Click Add.
    Once the details are added, you will be redirected to a page where the CSR and CA details are added as a connector. This page is called the holistic view and from here, any action on the certificate can be performed including provisioning the certificate to a server.
  11. On the holistic view, click the Submit button to trigger the request.
    The submit action is triggered and the Submit dialog box is displayed.
  12. Enter your comments in the text field and click Yes.
    If the approval required option is enabled in the CA policy, the request is moved to the Approve and Implementation stages.
  13. Click Approve to proceed.
    The Approve dialog box is displayed.
  14. Enter your comments in the text field.
    Note: If the workflow request has to be approved automatically in the future, click the Schedule later button .
  15. Click Yes.
    Once the approval process is completed, the Implement option is displayed in the holistic view.
  16. Click Implement.
    The Implement dialog box is displayed.
  17. Enter your comments in the text field.
    If the workflow request has to be implemented automatically in the future, click Schedule later .
  18. Click Yes.
    CSR Submission to CA is in progress.Once the CSR submission is successful, the request state will be changed to Submit certificate - retrieval in progress state.

    If the enrollment request is compliant with conditions defined and auto-approval enabled in the targeted CA, the certificate will be fetched in a few seconds.

    If auto-approval disabled in the targeted CA, you will have to be logged into the CA and approve the request.

    Once the certificate is issued successfully, the certificate will be retrieved into AppViewX. You can now push the enrolled certificate(s) to the required endpoint.

Pushing Certificates to a F5 Device

Important: Refer to the pre- and post-push script usage instructions here.

Adding an Application Connector for a F5 Device

  1. Enter the General Information for the ADC devices.
    Table 35. Field descriptions for the Certificate Details
    Field Description
    *Category From the dropdown list, select ADC.
    *Vendor From the dropdown list, select F5.
    *Connector Name Enter a name for this connector, to be able to identify it later.

    AppViewX recommends naming connectors according to use cases so they are easily distinguishable.

    Description Enter any additional details you want to record for this connector.
    Based on the information populated here, the SSL profiles section is populated with the list of available devices for the specified vendor that are already onboarded in AppViewX.
    Note: The name of this section is populated based on the Vendor selected.
  2. To select the device(s) to which the certificate will be pushed, under SSL profiles, from the list of Available Devices, click .
    The Selected devices list is updated automatically.
  3. Enter/Select the Certificate Details.
    Table 36. Field descriptions for the Certificate Details
    Field Description
    *Certificate Type From the dropdown list, select the file type of the certificate to be pushed.
    *Certificate File Name Enter the file name of the certificate to be pushed. The file extension is auto-populated based on the Certificate Type selected.
    *Key File Name

    The private key associated with a certificate is stored in a key file.

    Enter the name of the file that contains the private key associated with the certificate to be pushed.

    The file extension .key is automatically populated.
    Push Root and Intermediate Certificates

    To push the root and intermediate certificates, along with the end certificate, select this checkbox.

    For the Web Dispatcher server, this field is enabled by default and is non-editable.
    *Chain File or Bundle Name
    Note: This field is displayed only when Push Root and Intermediate Certificates is enabled.
    When pushing certificates to F5 devices, particularly for SSL/TLS configurations, a chain file or bundle refers to a single file that includes the entire certificate chain.

    Enter the chain file name in this field.
  4. Enter/Select the Push Details.
    Table 37. Field descriptions for the Push Details
    Field Description
    *Script Location

    Script files are commonly used to perform certain tasks required to be completed before and/or after a certificate is pushed to the target system.

    The script to be run before the certificate is pushed is called a pre-push script and the script to be run after the push is called a post-push script.

    From the following options, select the location of the script file(s):

    • In AppViewX

    • In Device
    Pre - Push Script File Name

    Enter the file name of the pre-push script.
    Pre - Push Script File Path

    This field is displayed when Script Location = In Device.

    Enter the location on your local system where th pre-push script file is stored.
    Post - Push Script File Name

    Enter the file name of the post push script.
    Post - Push Script File Path

    This field is displayed when Script Location = In Device.

    Enter the location on your local system where the post-push script file is stored.
    Overwrite

    The Overwrite option is used to specify if existing certificates on the target system will be overwritten with the certificate being pushed.

    If this option is enabled, the certificate being pushed will overwrite any existing certificates with the same identifier on the target system. This will also ensure that only the latest version of the certificate is available on the target system.

    If it is disabled, the push operation will fail in the event of conflicts with the certificates on the target system.
    Push Automatically To automatically push the certificate after it is renewed/reissued to the target system, enable this checkbox.
    Note: The auto push feature for a certificate works only if enabled for the certificate application connector as well the associated certificate group. To enable this feature at the certificate group level, refer the instructions here.
    Secure Push The Secure Push option ensures that the certificate is pushed to the target system securely, protected from any unauthorized access.
  5. Click Save.
    The connector is displayed on the certificate holistic view.

Pushing a Server Certificate

  1. Go to (Menu) > CERT+ > CERTIFICATE ACTION > Push to Device > Server.
    The Server Certificate page is displayed.
  2. To push a certificate, under Common Name, double click the required certificate.
    The certificate topology view is displayed.
  3. Click Push to Device. The Push to Device option will be shown if the app connector is already added to the certificate otherwise add the app connector and then proceed.
    Note: The Push to Device option is displayed only after an app connector is added to certificate.
    The Confirmation dialog box is displayed.
  4. Enter your comments, if required, in the text field.
  5. Click OK.
    • The approval process is triggered. The current flow is based on the default policy of two-level approvals.
    • A request ID and work order ID are generated automatically and the work order status is displayed alongside the connector in the certificate topology view.
  6. To approve the push request, from the certificate topology view, click Approve.
  7. In the Confirmation dialog box:
    1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
    2. If you select Off, set the date and time to schedule the certificate push.
    3. Enter your comments in the text field and click Yes.
    The work order status displayed beside the connector updates to Push-Review In Progress.
  8. To implement the push request, from the certificate topology view, click Implement.
  9. In the Confirmation dialog box:
    1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
    2. If you select Off, set the date and time to schedule the certificate push.
    3. Enter your comments in the text field and click Yes.
    The push action is triggered. After the push action is completed, the status updates to Completed.
    Note:
    • Every time a certificate is pushed to a shared location in Palo Alto Firewall / Panorama,the user currently needs to log into the device and manually commit the changes. Moving forward, pushing a certificate to the shared location will automatically trigger the commit process. The push operation will only be marked as successful in AppViewX after the commit process successfully completes on the device.
    • To refresh the certificate topology view, from the top-right corner of the screen, click Refresh.

Pushing a Client Certificate

  1. Go to (Menu) > CERT+ > CERTIFICATE ACTION > Push to Device > Client.
    The Client Certificate page is displayed.
  2. To push a certificate, under Common Name, double click the required certificate.
    The certificate topology view is displayed.
  3. Click Push to Device. The Push to Device option will be shown if the app connector is already added to the certificate otherwise add the app connector and then proceed.
    Note: The Push to Device option is displayed only after an app connector is added to certificate.
    The Confirmation dialog box is displayed.
  4. Enter your comments, if required, in the text field.
  5. Click OK.
    • The approval process is triggered. The current flow is based on the default policy of two-level approvals.
    • A request ID and work order ID are generated automatically and the work order status is displayed alongside the connector in the certificate topology view.
  6. To approve the push request, from the certificate topology view, click Approve.
  7. In the Confirmation dialog box:
    1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
    2. If you select Off, set the date and time to schedule the certificate push.
    3. Enter your comments in the text field and click Yes.
    The work order status displayed beside the connector updates to Push-Review In Progress.
  8. To implement the push request, from the certificate topology view, click Implement.
  9. In the Confirmation dialog box:
    1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
    2. If you select Off, set the date and time to schedule the certificate push.
    3. Enter your comments in the text field and click Yes.
    The push action is triggered. After the push action is completed, the status updates to Completed.
    Note:
    • Every time a certificate is pushed to a shared location in Panorama,the user currently needs to log into the device and manually commit the changes. Moving forward, pushing a certificate to the shared location will automatically trigger the commit process. The push operation will only be marked as successful in AppViewX after the commit process successfully completes on the device.
    • To refresh the certificate topology view, from the top-right corner of the screen, click Refresh.

Enabling Auto Regeneration of Certificates

Enabling Auto Regeneration for a Certificate Group

You can enable and configure the auto regeneration feature at the certificate group level, which will apply to all certificates assigned to that group.

For details and instructions to enable auto regeneration at the certificate group level, click here.

Enabling Auto Regeneration at the Certificate Level

Enabling Auto Regenerate for Certificate Enrollment

While you can enable auto regenerate for all types of certificates, for clarity, in this section, we'll look at the instructions for enabling auto regenerate for a server certificate.

For details and instructions to enable auto regeneration at the time of server certificate enrollment, click here.

Enabling Auto Regenerate for Discovered Certificates

While you can enable auto regenerate for all types of certificates, for clarity, in this section, we'll look at the instructions for enabling auto regenerate for a server certificate.
  1. Go to Menu > CERT+ > Certificate Inventory > Server.
    The Server Certificate inventory is displayed.
  2. From the inventory, for the certificate you want to enable auto push for, click the common name.
    The holistic view of the selected certificate is displayed.
  3. For an existing CA connector for the certificate, hover over .
  4. From the menu displayed, click Edit.
    The certificate details are displayed.
  5. Under CA Details, turn on the Regenerate Automatically toggle.
  6. In the Start Regenerating field, enter the number of days before expiration when the certificate should be regenerated.
  7. Click Update.
    The holistic view of the selected certificate is displayed.
    Note: For the auto regenerate process to take effect, set the auto push in the application connector. Refer to the Enabling Auto Push section.

Enabling Auto Push of Certificates to Endpoints

After setting the auto renew/regenerate in the CA connector, you must now enable the auto push in the application connector to ensure the renewed/regenerated certificates are pushed to the end device.

To enable auto push of certificates, you need to enable the corresponding option for the group to which the certificate in question belongs, as well as the connector created for that certificate.

  1. To enable auto push for the certificate group:
    1. Go to Menu > CERT+ > Groups & Policies > Groups.
      The Group page is displayed.
    2. From the Name field, select the required certificate group.
      The Group : Modify : <group name> page is displayed.
    3. From the Other Details section of this certificate group, turn on the Push Certificate Automatically toggle button.
    4. Click Update.
  2. To enable auto push for the certificate connector:
    1. From the holistic view, for an existing application connector for the certificate, hover over (More) icon.
      To add an application connector, follow the instructions given here.
    2. From the menu displayed, click Edit.
      The Edit Application Connector pop-up is displayed.
    3. Select the Push automatically checkbox.
    4. Click Save.
      The holistic view of the selected certificate is displayed.
      Note: An Auto Renew Certificates job is scheduled to run every 6 hours. It auto renews the configured certificates based on the number of days before expiry. AppViewX will disable the push automatically option in the Parent certificate application connector and enable it in the renewed certificate application connector.
      Note: An Auto Regenerate Certificates job is scheduled every day. It auto regenerates the configured certificates based on the number of days before expiry.

Enabling Auto Renewal of Certificates

To enable auto renewal of certificates, you need to enable the corresponding option for the group to which the certificate in question belongs, as well as the connector created for pushing that certificate.
Note: While you can enable auto push for all types of certificates, for clarity, in this section, we'll look at the instructions for enabling auto push for a server certificate.
  1. To enable auto renewal for the certificate group:
    1. Go to Menu > CERT+ > Groups & Policies > Groups.
      The Group page is displayed.
    2. From the Name field, select the required certificate group.
      The Group : Modify : <group name> page is displayed.
    3. From the Other Details section of this certificate group, turn on the Renew Automatically toggle button.
    4. Click Update.
  2. To enable auto renewal for the certificate connector:
    1. Go to Menu > CERT+ > Certificate Inventory > Server.
      The Server Certificate inventory is displayed.
    2. From the inventory, for the certificate you want to enable auto renew for, click the common name.
      The holistic view of the selected certificate is displayed.
    3. For an existing CA connector for the certificate, hover over .
    4. From the menu displayed, click Edit.
      The certificate details are displayed.
    5. Under CA Details, turn on the Renew Automatically toggle.
    6. In the Start Renewing field, enter the number of days before expiration when the certificate should be renewed.
    7. Click Update.
      The holistic view of the selected certificate is displayed.
      Note: For the auto renewal process to take effect, set the auto push in the application connector. For instructions, refer to the Enabling Auto Push section.

Troubleshooting F5 WAF

This section helps you troubleshoot the common problems that you might encounter when using the F5 WAF functionalities. This guide will give more troubleshooting processes on F5 WAF certificate config fetch, discovery, CSR creation, backup, push, bind, rollback, and other actions associated with F5 WAF.

Issues in Fetch Config

Error Message Possible Cause Possible Solution
Authentication failed for the device Invalid credentials specified for the device. Provide valid credentials for the device.
Failed to fetch partitions from the device Partition fetch failed.

  1. Check the device partitions.

  2. Please check the associated error message.
SSH connection failed Unable to establish the SSH connection. Please ensure that the device can be connected via SSH from AppViewX.

Issues in Discovery

Error Message Possible Cause Possible Solution
Please provide information as required Discovery name is not given or length is less than 2 characters. Enter a valid name with a minimum of 2 characters.
Interval between batches info. is missing when execution type is sequential. Provide a time interval between batches in minutes.
Please select a device No device is selected in the Discover By section. Select at least one device to discover certificates from.
Authentication failed for the device Invalid credentials specified for the device. Provide valid credentials for the device.
Failed to fetch partitions from the device Partition fetch failed.

  1. Check the device partitions.

  2. Please check the error message associated.
SSH connection failed Unable to establish the SSH connection. Please ensure that the device can be connected via SSH from AppViewX.

Issues in CSR Generation

Error Message Possible Cause Possible Solution
Authentication failed for the device Invalid credentials specified for the device Provide valid credentials for the device.
SSH connection failed Unable to establish the SSH connection. Please ensure that the device can be connected via SSH from AppViewX.
CSR Generation using HSM on this device version is not supported. Version not supported. Please use the supported version device to create CSR using HSM. Supported versions are v13 and v12.

1) CSR content unavailable in device

2) Requested CSR is not available in device

3) Csr could not be fetched

 CSR content unavailable on device. For some reasons CSR creation has failed, please check the logs to reproduce.
CSR already exists in this scope with the same Key reference name The name is already used on the device. Please use a different name.
Csr generation is device failed CSR generation has failed. CSR generation has failed. Please refer to the associated error message.
Thales HSM is not installed in the device. Please install and try again. Thales is not installed in the device. Please install Thales HSM and try again.
Invalid module. Please specify the valid module and try again. Invalid module specified. Specify a valid module and try again.
The CSR <name> was not found in the device. CSR content is not available in the name specified. Please check the name in the CA connector.
NetHSM private key is not available/installed in device NetHSM private key is not available/installed in the device. Please install NetHSM private key on the device.

Issues in F5 WAF Backup, Push, Bind, and Rollback

Error Message Possible Cause Possible Solution
Unable to initiate request. Pushing to device when certificate is unavailable, i.e, in a new state. Push to device after certificate has been retrieved from CA.
Previous work order is in progress and not completed. Initiate push after previous work order is finished.
AppConnector might not be in sync. Synchronize the appConnector and retry.
Unable to initiate request, template is in disabled state Given workflow is not in enabled state. Enable the push/rollback workflow from the Workflow section.
User is not authorized User does not have required permissions to push to the device. Retry after getting the access for required action.
Application connector(s) not found Application connector info was not found. Provide the correct connectorId if not pushing using AppViewX UI.
Request associated with the application connector is in progress Previous work order is in progress and not completed. Initiate this request after the previous work order is finished.
Push not triggered or succeeded or No existing data available for backup process. Rollback couldn’t proceed because push was not successful. Only successfully pushed certificates can be rolled back.
Certificate not found. Pushing to device when certificate is unavailable, i.e, in a new state. Push to device after certificate has been retrieved from CA.
Authentication failed for the device Invalid credentials specified for the device. Provide valid credentials for the device.
SSH connection failed Unable to establish the SSH connection. Please ensure that the device can be connected via SSH from AppViewX.
Invalid profile type Specified profile type is not supported. Please use client-SSL or server-SSL.
Certificate fetch failed Certificate fetch failed. Check the error message associated to know more about the problem.
Certificate already exists Certificate is already available with the same. Either change the name or enable overwrite in the application connector.
Key already exists Key is already available with the same. Either change the name of the key or enable overwrite in the application connector.
Certificate is expired Certificate is expired. Push the certificate which is currently valid.
Unknown certificate algorithm Unknown certificate algorithm. Push the certificates only with RSA or EC.
certificate is not yet valid Certificate valid from value is greater than the current time. Only valid certificates only can be pushed.