# Automatically update security packages > Enable automatic updates in F5 NGINX Instance Manager to keep F5 WAF for NGINX packages current. ## Upload the F5 WAF for NGINX certificate and key To enable automatic downloads, F5 NGINX Instance Manager must authenticate with the NGINX repository. Upload the repository certificate and private key provided with your F5 WAF for NGINX subscription. After you upload these files, NGINX Instance Manager can securely download the latest attack signature, bot signature, and threat campaign packages. Follow these steps to get and upload the certificate and key: 1. Log in to [MyF5](https://account.f5.com/myf5). 1. Go to **My Products and Plans > Subscriptions**. 1. Download these files from your F5 WAF for NGINX subscription: - `nginx-repo.crt` (certificate) - `nginx-repo.key` (private key) 1. Create a JSON file that contains both files. Replace each newline (`\n`) in the certificate and key with a literal `\n` so the formatting is correct inside the JSON file. **Example request:** ```json { "name": "nginx-repo", "nginxResourceType": "NginxRepo", "certPEMDetails": { "caCerts": [], "password": "", "privateKey": "-----BEGIN PRIVATE KEY-----\n[content snipped]\n-----END PRIVATE KEY-----\n", "publicCert": "-----BEGIN CERTIFICATE-----\n[content snipped]\n-----END CERTIFICATE-----", "type": "PEM" } } ``` 1. Upload the file to NGINX Instance Manager using the REST API: ```shell curl -X POST 'https:///api/platform/v1/certs' --header "Authorization: Bearer " --header "Content-Type: application/json" -d @nginx-repo-certs.json ``` 1. If successful, you’ll see a response similar to this: **Example response:** ```json { "certAssignmentDetails": [], "certMetadata": [ { "authorityKeyIdentifier": "", "commonName": "", "expired": false, "expiry": 59789838, "issuer": "C=US, ST=Washington, L=Seattle, Inc., O=F5 Networks\\, OU=Certificate Authority, CN=F5 PRD Issuing Certificate Authority TEEM V1", "publicKeyType": "RSA (2048 bit)", "serialNumber": "", "signatureAlgorithm": "SHA256-RSA", "subject": "CN=", "subjectAlternativeName": "", "subjectKeyIdentifier": "", "thumbprint": "", "thumbprintAlgorithm": "SHA256-RSA", "validFrom": "2021-12-21T16:57:55Z", "validTo": "2024-12-20T00:00:00Z", "version": 3 } ], "certPEMDetails": { "caCerts": [], "password": "**********", "privateKey": "**********", "publicCert": "[content snipped]", "type": "PEM" }, "created": "2023-01-27T23:42:41.587760092Z", "modified": "2023-01-27T23:42:41.587760092Z", "name": "nginx-repo", "serialNumber": "", "uid": "d08d9f54-58dd-447a-a71d-6fa5aa0d880c", "validFrom": "2021-12-21T16:57:55Z", "validTo": "2024-12-20T00:00:00Z" } ``` ## Enable automatic downloads NGINX Instance Manager can automatically download the latest attack signatures, bot signatures, and threat campaign versions. To enable automatic downloads: 1. Log in to the NGINX Instance Manager host using SSH. 1. Open the `/etc/nms/nms.conf` file in a text editor. 1. Adjust the `app_protect_security_update` settings as shown in the example below: ```yaml integrations: # enable this for integrations on tcp # address: 127.0.0.1:8037 address: unix:/var/run/nms/integrations.sock dqlite: addr: 127.0.0.1:7892 app_protect_security_update: # enable this to automatically retrieve the latest attack signatures, bot signatures, and threat campaigns enable: true # how often, in hours, to check for updates; default is 6 interval: 6 # how many updates to download; default is 10, max is 20 number_of_updates: 10 ``` 1. Save the changes and close the file. 1. Restart the `nms-integrations` service: ```shell sudo systemctl restart nms-integrations ``` If the F5 WAF for NGINX certificate or key is missing, invalid, or expired, you’ll see an error like this: ```text error when creating the nginx repo retriever - NGINX repo certificates not found ``` This means NGINX Instance Manager can’t connect to the NGINX repository to retrieve packages. Re-upload a valid certificate and key to resolve the issue.