Interesting discussion, @Tom Porterfield and @Vince Baker . We have not had a request for ACME support until now, but I can see how it would be useful and it's something that we'll continue to monitor, especially now that you've submitted the idea.
In the meantime, as part of our cloud deployment initiative, we've had some recent focus on external secret/key/cert management using different approaches, from a scheduled policy driven approach that can use the native APIs of various external solutions (across gateway form factors) to a Layer7 Operator approach that can use other components of the Kubernetes ecosystem including the External Secrets Operator and Kubernetes secrets. I've seen examples of where people have implemented ACME between their certificate authority and external key vault. In that case, these external secret/key/cert management solutions we're exploring would benefit from ACME via the external key vault too.
------------------------------
Ben Urbanski
Product Manager, API Gateway
Layer7 API Management
------------------------------
Original Message:
Sent: Jul 10, 2023 11:27 AM
From: Tom Porterfield
Subject: Automatic Certificate Management Environment
Yes. We are seeing other vendors get on board with ACME so are hoping that Broadcom will do the same with Layer7. Will help centralize and simplify certificate management.
Original Message:
Sent: Jul 10, 2023 11:15 AM
From: Vince Baker
Subject: Automatic Certificate Management Environment
Hi,
If you mean using ACME to provision certificates from Let's Encrypt for example, then we do have this on our APIIDA API Gateway Manager roadmap. Depending on how many people need this feature will depend if it gets bumped up the queue.
Regards
Vince
------------------------------
Principal Architect
Apiida AG
https://www.apiida.com
Original Message:
Sent: Jul 10, 2023 07:59 AM
From: Tom Porterfield
Subject: Automatic Certificate Management Environment
Thanks for the response but not really looking for a paid alternative solution. I also don't see anything in your documentation that mentions support for ACME, which was my question. I'll submit this as an idea to Broadcom for proper ACME support.
Original Message:
Sent: Jul 06, 2023 04:41 AM
From: Vince Baker
Subject: Automatic Certificate Management Environment
Hi Tom,
The Gateway as it stands doesn't have this functionality. However, our API Gateway Manager now supports certificate management and can address many of the certificate renewal issues our customers encounter. The product can also integrate with Venafi if that is an option.
The APIIDA API Gateway Manager fills in the gaps which are missing in the "out of the box" Layer7 Gateway such as GIT integration, UI and pipeline migration/mapping (using restman and now Graphman), monitoring, alerting, policy as code, templated policy creation, diagnostics and as mentioned... cert management.
https://apiida.com/product/apiida-api-gateway-manager/
Feel free to contact me for more info :-)
Regards
Vince
------------------------------
Principal Architect
Apiida AG
https://www.apiida.com
Original Message:
Sent: Jul 05, 2023 11:44 AM
From: Tom Porterfield
Subject: Automatic Certificate Management Environment
Does the Layer7 gateway support Automatic Certificate Management Environment as described in https://datatracker.ietf.org/doc/html/rfc8555 ? With the change coming to decrease certificate period to 90 days, an automated way to rotate SSL certificates on the gateway will be needed.