Add or Replace Certificates

This guide explains how to add certs and identify and replace certs that are expiring or have expired.


This documentation applies to NGINX Instance Manager 2.0.0 and later.


About Certificates

  • Managed certs

  • Unmanaged certs

You can add certificates to NGINX Instance Manager using the web interface or API. Certificates in NGINX Instance Manager are stored in PEM format in an internal secret store. Certificates can be published to NGINX instances, which use certificates to decrypt and encrypt requests and responses.

Important:
The certificate bundle stored on the NGINX Instance Manager server is not encrypted.

NGINX Instance Manager can import the following types of certificates:

  1. PEM (Privacy Enhanced Mail): a container format that includes an entire certificate chain including public key, private key, and any intermediate root certificates.
  2. PKCS12 (Public-Key Cryptography Standards): a container format with multiple embedded objects, such as multiple certificates. The contents are base64 encoded.

Add a Managed Cert

You need to create a certificate before you can add one to NGINX Instance Manager. Use OpenSSL or a similar service to create a cert.

To add a cert to NGINX Instance Manager, take the following steps:

  1. Open the NGINX Instance Manager web interface and log in.

  2. Under Modules, select Instance Manager.

  3. In the left menu, select Certs.

  4. Select Add.

  5. In the Name box, type the name for the certificate.

  6. Select the import method:

    • Import PEM or PKCS12 file - Drag and drop the cert file into the upload section, or select Browse to locate and upload the file.
    • Copy and paste PEM text - Paste the appropriate cert contents into the Private Key, Public Cert, and Issuing CA Certs boxes.
  7. Select Add.

Identify Expiring or Expired Certs

To identify certs that have expired or are expiring soon, take the following steps:

  1. Open the NGINX Instance Manager web interface and log in.
  2. Under Modules, select Instance Manager.
  3. In the left menu, select Certs.

The status of the certificates is either Expired, Expiring, or Healthy along with the expiration date.

A certificate is considered Expiring if it’s about to expire in fewer than 30 days.

The expiring or expired certificates can be updated with new certificates by selecting Edit.


Cert status

Replace Managed Certificates Using the Web Interface

To replace a cert, take the following steps. As you make changes, the analyzer checks your configuration when you move off the line you are editing.

  1. Open the NGINX Instance Manager web interface and log in.
  2. Under Modules, select Instance Manager.
  3. In the left menu, select Certs.
  4. On the Certs overview page, select the certificate you want to replace, then select Edit.
  5. Paste the appropriate cert contents into the Private Key, Public Cert, and Issuing CA Certs boxes.
  6. Select Save.

Editor UI

Replace Managed Certificates Using the API

To replace a cert using the NGINX Instance Manager API, send a PUT request similar to the following example to the Certs API endpoint.

curl -X PUT "https://nginx-manager.example.com/api/v0/certs/pem_cert_with_ca" -H  "accept: application/json" -H "Content-Type: application/json" -d "{  \"name\": \"pem_cert_with_ca\",  \"certPEMDetails\": {  \"type\": \"PEM\",  \"privateKey\": \"-----BEGIN PRIVATE KEY-----<base64-encoded blob>-----END PRIVATE KEY-----\",  \"publicCert\": \"-----BEGIN CERTIFICATE-----<base64-encoded blob>-----END CERTIFICATE-----\",  \"password\": \"\",  \"caCerts\": [\"-----BEGIN CERTIFICATE-----<base64-encoded blob>-----END CERTIFICATE-----\"]},  \"instanceRefs\": [\"/api/platform/v1/systems/56926426-c8c6-1c4e-95b4-418d4a817b42/instances/1de809e5-c186-5367-9957-25dfab5354f5\"]}"