# Add certificates using the Azure CLI Type of document: How-to guide Product: NGINXaaS for Azure --- You can use Azure Key Vault (AKV) to store SSL/TLS certificates and keys to use in your F5 NGINXaaS for Azure (NGINXaaS) configuration. ### Prerequisites NGINXaaS natively integrates with [Azure Key Vault (AKV)](https://azure.microsoft.com/en-us/products/key-vault), so you can bring your own certificates and manage them in a centralized location. You will need: - AKV to store certificates that you want to add to the deployment. - A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your Managed Identity (MI) has read access to secrets stored in AKV: - If using Azure RBAC for AKV, ensure that your MI has [Key Vault Secrets User](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-secrets-user) or higher permissions. - If using Access Policies for AKV, ensure that your MI has *GET secrets* or higher permissions. - Access to AKV through a public or private endpoint. If public access to AKV needs to be restricted, refer to [Restrict Public Access to Key Vault](/nginxaas-azure/quickstart/security-controls/certificates.md#restrict-public-access-to-key-vault). - In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault: - If using Azure RBAC for AKV, ensure that you have [Key Vault Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-reader) or higher permissions. - If using Access Policies for AKV, ensure that you have *LIST certificates* or higher permissions. - If public access is disabled on your key vault, add an inbound access rule to allow your client IP address. - If you're unfamiliar with Azure Key Vault, check out the [Azure Key Vault concepts](https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts) documentation from Microsoft. - Install [Azure CLI with NGINXaaS extension](/nginxaas-azure/client-tools/cli.md) ## Create a certificate Create a certificate under a deployment. This references an existing certificate in an Azure Key Vault and makes it available to NGINX configuration To create a certificate, use the `az nginx deployment certificate create` command: ```shell az nginx deployment certificate create --certificate-name --deployment-name --resource-group [--certificate-path] [--key-path] [--key-vault-secret-id] [--location] [--no-wait {0, 1, f, false, n, no, t, true, y, yes}] ``` ### Example - Create a certificate with a certificate path, key path, and key vault secret ID: ```shell az nginx deployment certificate create --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup \ --certificate-path /etc/nginx/test.cert --key-path /etc/nginx/test.key \ --key-vault-secret-id keyVaultSecretId ``` **Note:** The `--key-vault-secret-id` must be the **Secret Identifier**, not the Certificate Identifier. To find the Secret Identifier, see [Finding the Azure Key Vault Secret Identifier](/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal/#finding-the-azure-key-vault-secret-identifier). See [Azure CLI Certificate Create Documentation](https://learn.microsoft.com/en-us/cli/azure/nginx/deployment/certificate#az-nginx-deployment-certificate-create) for more details on the available parameters. ## Update a certificate To update a certificate, use the `az nginx deployment certificate update` command: ```shell az nginx deployment certificate update [--add] [--certificate-name] [--certificate-path] [--deployment-name] [--force-string {0, 1, f, false, n, no, t, true, y, yes}] [--ids] [--key-path] [--key-vault-secret-id] [--location] [--no-wait {0, 1, f, false, n, no, t, true, y, yes}] [--remove] [--resource-group] [--set] [--subscription] ``` ### Example - Update the certificate virtual path, key virtual path and certificate: ```shell az nginx deployment certificate update --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup \ --certificate-path /etc/nginx/testupdated.cert \ --key-path /etc/nginx/testupdated.key \ --key-vault-secret-id newKeyVaultSecretId ``` See [Azure CLI Certificate Create Documentation](https://learn.microsoft.com/en-us/cli/azure/nginx/deployment/certificate#az-nginx-deployment-certificate-update) for more details on the available parameters. ## Delete a certificate To delete a certificate, use the `az nginx deployment certificate delete` command: ```shell az nginx deployment certificate delete [--certificate-name] [--deployment-name] [--ids] [--no-wait {0, 1, f, false, n, no, t, true, y, yes}] [--resource-group] [--subscription] [--yes] ``` ### Example - Delete a certificate: ```shell az nginx deployment certificate delete --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup ``` See [Azure CLI Certificate Delete Documentation](https://learn.microsoft.com/en-us/cli/azure/nginx/deployment/certificate#az-nginx-deployment-certificate-delete) for more details on the available parameters.