SSL/TLS Certificates

Learn how to store certificates and keys with Azure Key Vault.

When deploying NGINX as a Service for Azure, you can use Azure Key Vault for storing SSL/TLS certificates and keys to use in your NGINX configuration.

Prerequisites

  • An Azure Key Vault where the expected certificates are stored that you want to add to the deployment. The Key Vault firewall should remain in the default “disabled” state.

  • A user assigned or a system assigned identity added to the deployment. Ensure that your managed identity has read access to secrets stored in Azure Key Vault:

    • If using Azure RBAC for AKV, please ensure that your MI has Key Vault Secrets User or higher permissions.

    • If leveraging Access Policies for AKV, please ensure that your MI has GET secrets or higher permissions.

  • If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.

Adding an SSL/TLS Certificate

  1. Go to your NGINXaaS for Azure deployment.

  2. Select NGINX certificates in the left menu.

    NGINX Certificates

  3. Select Add certificate.

  4. Provide the required information.

    Add Certificates
    Field Description
    Name A unique name for the certificate.
    Certificate path This path must match one or more ssl_certificate directive file arguments in your NGINX configuration.
    The certificate path must be unique between certificates within the same deployment.
    Key path This path must match one or more ssl_certificate_key directive file arguments in your NGINX configuration.
    The key path must be unique between certificates within the same deployment.
    The key path and certificate path can be the same within the certificate.
    Key vault Select from the available key vaults.
    Certificate name Select the certificate you want to add from the previously selected key vault.
Note:
If specifying an absolute file path as the Certificate path or Key path, see the NGINX Filesystem Restrictions table for the allowed directories an Auxiliary file can be written to.

  1. Once you save the certificate, the status changes from In Progress to Succeeded.

    Adding a Certificate

    Certificate Added

  2. Repeat the same steps to add as many certificates as needed.

  3. Now you can provide an NGINX configuration that references the certificate you just added by the path value.

Deleting an SSL/TLS Certificate

  1. Select the certificate.

  2. Select Delete.

    Deleting a Certificate

  3. Confirm the delete action.

    Confirm Certificate Deletion
Warning:
Deleting a TLS/SSL certificate currently in-use by the NGINXaaS for Azure deployment will cause an error.