Add certificates using the Azure portal

Overview

Overview

You can manage SSL/TSL certificates for F5 NGINX as a Service for Azure (NGINXaaS) using the Azure portal.

Prerequisites

Prerequisites

NGINXaaS natively integrates with Azure Key Vault (AKV), so you can bring your own certificates and manage them in a centralized location. You will need:

• AKV to store certificates that you want to add to the deployment.

• A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your Managed Identity (MI) has read access to secrets stored in AKV:

  • If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.

  • If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.

• In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have read access to list certificates inside the Key Vault:

  • If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.

  • If using Access Policies for AKV, ensure that you have LIST certificates or higher permissions.

  • If public access is disabled on your key vault, configure Network Security Perimeter and add an inbound access rule to allow your client IP address.

• If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.

Adding an SSL/TLS certificate

Adding an SSL/TLS certificate

Before you begin, refer Azure documentation to Import a certificate to your Key Vault.

1. Go to your NGINXaaS for Azure deployment.

2. Select NGINX certificates in the left menu.

3. Select Add certificate.

4. Provide the required information:

   Field	Description
   Name	A unique name for the certificate.
   Certificate path	This path can match one or more ssl_certificate directive file arguments in your NGINX configuration. The certificate path must be unique within the same deployment.
   Key path	This path can match one or more ssl_certificate_key directive file arguments in your NGINX configuration. The key path must be unique within the same deployment. The key path and certificate path can be the same within the certificate.

   Field	Description
   Name	A unique name for the certificate.
   Certificate path	This path can match one or more ssl_certificate directive file arguments in your NGINX configuration. The certificate path must be unique within the same deployment.
   Key path	This path can match one or more ssl_certificate_key directive file arguments in your NGINX configuration. The key path must be unique within the same deployment. The key path and certificate path can be the same within the certificate.

   • The Select certificate button will take you to a new screen where you will need to provide the following information:

   Field	Description
   Key vault	Select from the available key vaults.
   Certificate	Select the certificate you want to add from the previously selected key vault.

   Field	Description
   Key vault	Select from the available key vaults.
   Certificate	Select the certificate you want to add from the previously selected key vault.

   If you need to create a new key vault or certificate, you can do so by selecting Create new key vault or Create new under the Key Vault and Certificate fields, respectively.

   Note: If specifying an absolute file path as the Certificate path or Key path, see the NGINX Filesystem Restrictions table for the allowed directories the file can be written to.

   If specifying an absolute file path as the Certificate path or Key path, see the NGINX Filesystem Restrictions table for the allowed directories the file can be written to.

   Note: A certificate added to an NGINXaaS for Azure deployment using the Azure Portal refers to an unversioned Azure Key Vault (AKV) secret identifier. To add a certificate with a versioned AKV secret identifier, follow the documented steps with alternative Client tools for NGINXaaS for Azure.

   A certificate added to an NGINXaaS for Azure deployment using the Azure Portal refers to an unversioned Azure Key Vault (AKV) secret identifier. To add a certificate with a versioned AKV secret identifier, follow the documented steps with alternative Client tools for NGINXaaS for Azure.

5. Select Add certificate.

6. Repeat the same steps to add as many certificates as needed.

7. Now you can provide an NGINX configuration that references the certificate you just added by the path value.

View certificate details

View certificate details

1. Go to your NGINXaaS for Azure deployment and select NGINX certificates in the left menu.

2. Select the name of the certificate from the list.

3. View the certificate details, including the certificate path, key path, thumbprint, and the certificate’s status. This view will also show in a red box any errors that occurred during the certificate fetch process.

Edit an SSL/TLS certificate

Edit an SSL/TLS certificate

1. Go to your NGINXaaS for Azure deployment and select NGINX certificates in the left menu.

2. Select the checkbox next to the certificate you want to edit.

3. Select Edit.

4. Update the Name, Certificate path, Key path fields as needed.

5. Use the Select certificate option to update the Key vault, and Certificate fields as needed.

6. Select Update.

Delete an SSL/TLS certificate

Delete an SSL/TLS certificate

1. Go to your NGINXaaS for Azure deployment and select NGINX certificates in the left menu.

2. Select the checkbox next to the certificate you want to delete.

3. Select Delete.

4. Confirm the delete action.

Warning Deleting a TLS/SSL certificate currently in-use by the NGINXaaS for Azure deployment will cause an error.

Warning

Deleting a TLS/SSL certificate currently in-use by the NGINXaaS for Azure deployment will cause an error.

What’s next

What’s next

Upload an NGINX Configuration