Add certificates using the Azure CLI
You can use Azure Key Vault (AKV) to store SSL/TLS certificates and keys to use in your F5 NGINXaaS for Azure (NGINXaaS) configuration.
NGINXaaS natively integrates with Azure Key Vault (AKV), so you can bring your own certificates and manage them in a centralized location. You will need:
-
AKV to store certificates that you want to add to the deployment.
-
A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your Managed Identity (MI) has read access to secrets stored in AKV:
-
If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.
-
If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.
-
-
In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault:
-
If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.
-
If using Access Policies for AKV, ensure that you have LIST certificates or higher permissions.
-
If public access is disabled on your key vault, configure Network Security Perimeter and add an inbound access rule to allow your client IP address.
-
-
If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.
Create a certificate under a deployment. This references an existing certificate in an Azure Key Vault and makes it available to NGINX configuration
To create a certificate, use the az nginx deployment certificate create command:
az nginx deployment certificate create --certificate-name
--deployment-name
--resource-group
[--certificate-path]
[--key-path]
[--key-vault-secret-id]
[--location]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]-
Create a certificate with a certificate path, key path, and key vault secret ID:
shellaz nginx deployment certificate create --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup \ --certificate-path /etc/nginx/test.cert --key-path /etc/nginx/test.key \ --key-vault-secret-id keyVaultSecretId
See Azure CLI Certificate Create Documentation for more details on the available parameters.
To update a certificate, use the az nginx deployment certificate update command:
az nginx deployment certificate update [--add]
[--certificate-name]
[--certificate-path]
[--deployment-name]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--ids]
[--key-path]
[--key-vault-secret-id]
[--location]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--remove]
[--resource-group]
[--set]
[--subscription]-
Update the certificate virtual path, key virtual path and certificate:
shellaz nginx deployment certificate update --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup \ --certificate-path /etc/nginx/testupdated.cert \ --key-path /etc/nginx/testupdated.key \ --key-vault-secret-id newKeyVaultSecretId
See Azure CLI Certificate Create Documentation for more details on the available parameters.
To delete a certificate, use the az nginx deployment certificate delete command:
az nginx deployment certificate delete [--certificate-name]
[--deployment-name]
[--ids]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]
[--subscription]
[--yes]-
Delete a certificate:
shellaz nginx deployment certificate delete --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup
See Azure CLI Certificate Delete Documentation for more details on the available parameters.