Add certificates using the Azure CLI
You can use Azure Key Vault (AKV) to store SSL/TLS certificates and keys to use in your F5 NGINX as a Service for Azure (NGINXaaS) configuration.
-
AKV to store certificates that you want to add to the deployment.
-
A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your managed identity (MI) has read access to secrets stored in AKV:
-
If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.
-
If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.
-
-
In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault:
-
If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.
-
If using Access Policies for AKV, ensure that you have LIST certificates or higher permissions.
-
If public access is disabled on your key vault, configure Network Security Perimeter and add an inbound access rule to allow your client IP address.
-
-
If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.
Create a certificate under a deployment. This references an existing certificate in an Azure Key Vault and makes it available to NGINX configuration
To create a certificate, use the az nginx deployment certificate create command:
az nginx deployment certificate create --certificate-name
--deployment-name
--resource-group
[--certificate-path]
[--key-path]
[--key-vault-secret-id]
[--location]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]-
Create a certificate with a certificate path, key path, and key vault secret ID:
az nginx deployment certificate create --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup \ --certificate-path /etc/nginx/test.cert --key-path /etc/nginx/test.key \ --key-vault-secret-id keyVaultSecretId
See Azure CLI Certificate Create Documentation for more details on the available parameters.
To update a certificate, use the az nginx deployment certificate update command:
az nginx deployment certificate update [--add]
[--certificate-name]
[--certificate-path]
[--deployment-name]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--ids]
[--key-path]
[--key-vault-secret-id]
[--location]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--remove]
[--resource-group]
[--set]
[--subscription]-
Update the certificate virtual path, key virtual path and certificate:
az nginx deployment certificate update --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup \ --certificate-path /etc/nginx/testupdated.cert \ --key-path /etc/nginx/testupdated.key \ --key-vault-secret-id newKeyVaultSecretId
See Azure CLI Certificate Create Documentation for more details on the available parameters.
To delete a certificate, use the az nginx deployment certificate delete command:
az nginx deployment certificate delete [--certificate-name]
[--deployment-name]
[--ids]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]
[--subscription]
[--yes]-
Delete a certificate:
az nginx deployment certificate delete --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup
See Azure CLI Certificate Delete Documentation for more details on the available parameters.