SSL/TLS Certificates

Learn how to store certificates and keys with Azure Key Vault.

When deploying NGINX for Azure, you can use Azure Key Vault for storing SSL/TLS certificates and keys to use in your NGINX configuration.

Prerequisites

  • An Azure Key Vault where the expected certificates are stored that you want to add to deployment

    • For Private Preview we recommend creating a new, dedicated Key Vault.

    • Key Vault firewall should remain in the default “disabled” state.

  • A user managed identity added to the deployment. Ensure that your user managed identity has read access to secrets stored in Azure Key Vault.

    • If using Azure RBAC for AKV, please ensure that your MI has Key Vault Secrets User or higher permissions.

    • If leveraging Access Policies for AKV, please ensure that your MI has GET secrets or higher permissions.

  • If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft .

Note:
Currently NGINX for Azure supports PEM certificates only.

Adding an SSL/TLS Certificate

  1. Go to your NGINX for Azure deployment.

  2. Select NGINX certificates in the left menu.

    NGINX Certificates
  3. Select Add certificate.

  4. Provide the required information.

    Add Certificates
    Field Description
    Name A unique name for the certificate.
    Certificate path This path must match one or more ssl_certificate directive file arguments in your NGINX configuration.
    The certificate path must be unique between certificates within the same deployment.
    Key path This path must match one or more ssl_certificate_key directive file arguments in your NGINX configuration.
    The key path must be unique between certificates within the same deployment.
    The key path and certificate path can be the same within the certificate.
    Key vault Select from the available key vaults.
    Certificate name Select the certificate you want to add from the previously selected key vault.
  5. Once you save the certificate, the status changes from In Progress to Succeeded.

    Adding a Certificate

    Certificate Added

  6. Repeat the same steps to add as many certificates as needed.

  7. Now you can provide an NGINX configuration that references the certificate you just added by the path value. See: Add NGINX Configuration.

Deleting an SSL/TLS Certificate

  1. Select the certificate.

  2. Select Delete.

    Deleting a Certificate
  3. Confirm the delete action.

    Confirm Certificate Deletion
Warning:
Deleting a TLS/SSL certificate currently in-use by the NGINX for Azure deployment will cause an error.

What’s Next

NGINX Configuration