-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Lee Fine
committed
Dec 18, 2024
1 parent
8ee2514
commit 7199d0d
Showing
1 changed file
with
11 additions
and
41 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,49 +1,19 @@ | ||
| ## Overview | ||
|
|
||
| The F5 Orchestrator supports three different types of certificates stores with the capabilities for each below: | ||
| The Fortigate Orchestrator Extension supports the following use cases: | ||
| 1. Inventory of local user and factory cerificates | ||
| 2. Ability to add new local certificates | ||
| 3. Ability to renew **unbound** local user certificates | ||
| 4. Ability to delete **unbound** local user certificates | ||
|
|
||
| - CA Bundles | ||
| - Discovery | ||
| - Inventory* | ||
| - Management (Add and Remove) | ||
| - Web Server Device Certificates | ||
| - Inventory* | ||
| - Management (Add, but replacement/renewal of existing certificate only) | ||
| - SSL Certificates | ||
| - Discovery | ||
| - Inventory* | ||
| - Management (Add and Remove) | ||
|
|
||
| *Special note on private keys: One of the pieces of information that Keyfactor collects during an Inventory job is whether or not the certificate stored in F5 has a private key. The private key is NEVER actually retrieved by Keyfactor, but Keyfactor does track whether one exists. F5 does not provide an API to determine this, so by convention, all CA Bundle certificates are deemed to not have private keys, while Web Server and SSL certificates are deemed to have them. Any Management jobs adding (new or renewal) a certificate will renew without the private key for CA Bundle stores and with the private key for Web Server or SSL stores. | ||
| The Fortigate Orchestrator Extension DOES NOT support the following use cases: | ||
| 1. The renewal or removal of certificates enrolled through the internal Fortigate CA | ||
| 2. The renewal or removal of factory certificates | ||
| 3. The renewal or removal of ANY certificate bound to a Fortigate object | ||
| 4. Certificate enrollment using the internal Fortigate CA (Keyfactor's "reenrollment" or "on device key generation" use case) | ||
|
|
||
|
|
||
| ## Requirements | ||
|
|
||
| An administrator account must be set up in F5 to be used with this orchestrator extension. This F5 user id is what must be used as credentials when setting up a Keyfactor Command certificate store pointing to the F5 device intending to be managed. | ||
|
|
||
|
|
||
| ## Discovery | ||
|
|
||
| For SSL Certificate (F5-SL-REST) and CA Bundle (F5-CA-REST) store types, discovery jobs can be scheduled to find F5 partitions that can be configured as Keyfactor Command certificate stores. | ||
|
|
||
| First, in Keyfactor Command navigate to Certificate Locations =\> Certificate Stores. Select the Discover tab and then the Schedule button. Complete the dialog and click Done to schedule. | ||
|  | ||
|
|
||
| - **Category** - Required. The F5 store type you wish to find stores for. | ||
|
|
||
| - **Orchestrator** - Select the orchestrator you wish to use to manage this store | ||
|
|
||
| - **Client Machine & Credentials** - Required. The server name or IP Address and login credentials for the F5 device. The credentials for server login can be any of: | ||
|
|
||
| - UserId/Password | ||
| - PAM provider information to pass the UserId/Password or UserId/SSH private key credentials | ||
|
|
||
| When entering the credentials, UseSSL ***must*** be selected. | ||
|
|
||
| - **When** - Required. The date and time when you would like this to execute. | ||
|
|
||
| - **Directories to search** - Required but not used. This field is not used in the search to Discover certificate stores, but ***is*** a required field in this dialog, so just enter any value. It will not be used. | ||
|
|
||
| - **Directories to ignore/Extensions/File name patterns to match/Follow SymLinks/Include PKCS12 Files** - Not used. Leave blank. | ||
| The Fortigate Orchestrator Extension requires an API token be created in the Fortigate environment being managed. Please review the following [instructions](https://docs.fortinet.com/document/forticonverter/7.0.1/online-help/866905/connect-fortigate-device-via-api-token) for creating an API token to be used in this integration. | ||
|
|
||
| Once the Discovery job has completed, a list of F5 certificate store locations should show in the Certificate Stores Discovery tab in Keyfactor Command. Right click on a store and select Approve to bring up a dialog that will ask for the remaining necessary certificate store parameters described in Step 2a. Complete those and click Save, and the Certificate Store should now show up in the list of stores in the Certificate Stores tab. |