Automated SSL certificate renewal for F5 BIG-IP

F5 BIG-IP won't update a renewed certificate on its own. CertKit will.

A BIG-IP binds a named certificate and key to a Client SSL profile, and your virtual servers reference that profile. When a certificate renews, nothing changes on the device until someone uploads the new certificate, creates the SSL objects, repoints the profile's certificate chain, and saves the running configuration. Every 47 days. On every BIG-IP you manage.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your BIG-IP devices automatically via the CertKit Agent and the iControl REST API, repoints the Client SSL profile, and saves the config.

Start free trial Watch demo

Built for F5 BIG-IP

A pre-built Client SSL profile template ships in your CertKit account. No scripting required.

CertKit renews your BIG-IP certificate for you. On every renewal it uploads the new certificate and key, creates fresh SSL objects, repoints the Client SSL profile to them, saves the configuration, and removes the old objects. No TMUI clicks, no manual import, no maintenance window to schedule.

A pre-built Client SSL profile template ships with your CertKit account. Point CertKit at your BIG-IP once and it handles every renewal after that. If you want to see or adjust exactly what runs, the full deployment script is right there in your account.

How it works

 Your network            CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│  ┌─────────────┐  │     │                  │    │             │
│  │Deploy Agent │◄─┼─────┤  Issue & Renew   │◄──►│             │
│  └──┬────┬─────┘  │     │   Certificates   │    │             │
│     │    │iControl│     │                ┌───┐  └─────────────┘
│     │    │ REST   │     └───────────┬────│DNS│
│     ▼    ▼        │                 │    └───┘
│ ┌──────────────┐  │                 │
│ │ F5 BIG-IP    │  │                 │
│ │ [x] Uploaded │  │ ◄───────────────┘
│ │ [x] Saved    │  │       Verify
│ └──────────────┘  │
└───────────────────┘

CertKit issues and renews certificates centrally in the cloud using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that.

The deploy agent is a small service you run on a server inside your network. It makes an outbound HTTPS connection to CertKit to pull each renewed certificate, then connects to the BIG-IP over the iControl REST API on your management network to upload the certificate and key, repoint the Client SSL profile, and save. The BIG-IP never talks to CertKit or the public internet directly, never runs ACME, needs no port 80 open, and never stores DNS credentials. One deploy agent can reach every BIG-IP and other appliance on that network, so there's nothing to install on the load balancers themselves.

Using CertKit to manage our public-facing SSL certificates has been an excellent decision. The platform is user-friendly, certificates are easy to deploy, and the automation agent streamlines the entire certificate lifecycle, eliminating concerns around shortening certificate validity periods.

Chris Austin, IT Engineer, Buckman

What CertKit handles

Issue certificates via ACME, centrally. Your BIG-IPs have no ACME configuration, no open ports, no public DNS credentials. One CNAME record is all your domain contributes.
Renew automatically before expiry. That one-time CNAME covers every renewal challenge going forward. No intervention required on any device.
Upload the certificate and key over iControl REST. The CertKit Agent authenticates with the management account, chunk-uploads the renewed certificate (intermediates included) and private key, then creates the sys/file/ssl-cert and sys/file/ssl-key objects in one pass.
Repoint the Client SSL profile. The agent PATCHes the profile's certKeyChain to the new certificate and key, so every virtual server that references the profile presents the current certificate the moment the change applies. No per-virtual-server edits.
Upload new objects instead of overwriting in place. A BIG-IP won't let you replace an SSL object that's bound to a live profile. CertKit names each upload with a timestamp suffix, repoints the profile to the new objects, then deletes the old ones, so renewals never trip the "certificate is in use" error.
Stay inside the right partition. All objects are created and referenced under the administrative partition you specify (/Common or your own), so the deployment fits a partitioned BIG-IP without reaching across tenant boundaries.
Save the running configuration. After the profile is repointed and the old objects are cleaned up, CertKit runs a config save so the change survives a reboot. On an active/standby HA pair, the saved config syncs to the peer with a clean object set.
Work with self-signed management certificates. The agent reaches the iControl REST endpoint over HTTPS and tolerates the default self-signed management certificate that most BIG-IPs ship with.
Deploy in your maintenance window. Repointing a Client SSL profile is fast, but it does affect live TLS connections through the affected virtual servers. Schedule a deployment window per device so renewals roll out at 2am Sunday, not during the workday when users would notice.
Verify the deployment, not just the script. After each renewal, CertKit connects to your virtual server's published service and confirms the new certificate is actually being served. It checks the serial number, SANs, and expiry. If something is wrong, you find out before your users do.
Alert on failure. Deployment failures, save errors, verification mismatches, and upcoming expirations all generate alerts before they become incidents.
Audit every change. Every issuance, renewal, and deployment is logged with timestamp, certificate, and device. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Create a BIG-IP management account. A scoped administrator account that can upload SSL files, edit Client SSL profiles, and save the configuration over iControl REST.
Install the CertKit Agent. One command on any Windows or Linux host with HTTPS reachability to the BIG-IP management interface. The agent runs as a background service and needs no inbound firewall rules.
Add the F5 deployment script. The pre-built Client SSL profile template is in your account. Set your BIG-IP hostname, partition, profile name, and credentials. CertKit runs it on every renewal.

See the full architecture →

Why not import certificates manually?

The standard BIG-IP renewal workflow is a TMUI sequence: import the certificate and key under System → Certificate Management, edit the Client SSL profile to select the new chain, then save and sync. That works once. Run it manually across a fleet of BIG-IPs and the virtual servers behind them every 47 days and it becomes a source of outages, missed bindings, and expired services discovered when a customer can't reach an application.

The iControl REST flow itself has sharp edges: chunked file uploads with byte ranges, separate ssl-cert and ssl-key object creation, the in-use lock that blocks overwriting a bound certificate, partition-qualified object names, and a config save that has to land before an HA peer syncs. We built and tested the deployment so you don't have to. CertKit issues the certificate via delegated DNS validation, then the agent handles the upload, the profile repoint, the save, and the cleanup as one verified step, with no ACME client on the load balancer.

F5 is just one part of your network edge

Most networks have more than one place where TLS certificates live: load balancers, VPN concentrators, web servers, and firewall vendors like Palo Alto, Fortinet, and SonicWall. CertKit automates all of it from one account.

See all integrations

Start automating F5 BIG-IP certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing