Add SSL/TLS Certificates
Learn how to store certificates and keys with Azure Key Vault.
You can use Azure Key Vault (AKV) to store SSL/TLS certificates and keys to use in your NGINXaaS configuration.
Prerequisites
- AKV to store certificates that you want to add to the deployment.
Note:
The Key Vault firewall should remain in the default “disabled” state.
-
A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your managed identity (MI) has read access to secrets stored in AKV:
-
If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.
-
If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.
-
-
If using Azure portal to add certificates, ensure that you have the following permissions:
-
Key Vault Reader or higher permission to view the Key Vault resource.
-
Read access to list certificates inside the Key Vault:
-
If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.
-
If using Access Policies for AKV, ensure that you have GET certificates or higher permissions.
-
-
-
If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.
Adding an SSL/TLS Certificate
Before you begin, refer Azure documentation to Import a certificate to your Key Vault.
-
Go to your NGINXaaS for Azure deployment.
-
Select NGINX certificates in the left menu.
-
Select Add certificate.
-
Provide the required information.
Field Description Name A unique name for the certificate. Certificate path This path must match one or more ssl_certificate
directive file arguments in your NGINX configuration.
The certificate path must be unique between certificates within the same deployment.Key path This path must match one or more ssl_certificate_key
directive file arguments in your NGINX configuration.
The key path must be unique between certificates within the same deployment.
The key path and certificate path can be the same within the certificate.Key vault Select from the available key vaults. Certificate name Select the certificate you want to add from the previously selected key vault.
Note:
If specifying an absolute file path as theCertificate path
orKey path
, see the NGINX Filesystem Restrictions table for the allowed directories an Auxiliary file can be written to.
-
Once you save the certificate, the status changes from In Progress to Succeeded.
-
Repeat the same steps to add as many certificates as needed.
-
Now you can provide an NGINX configuration that references the certificate you just added by the path value.
Deleting an SSL/TLS Certificate
-
Select the certificate.
-
Select Delete.
-
Confirm the delete action.
Warning:
Deleting a TLS/SSL certificate currently in-use by the NGINXaaS for Azure deployment will cause an error.
Certificate Rotation
NGINXaaS for Azure regularly polls the Azure Key Vault (AKV) to check if the certificate has been updated. If an updated certificate is found, it is automatically rotated on the deployment within 4 hours. Any change to the NGINX configuration will trigger all SSL/TLS certificates to be rotated immediately.
For Azure client tools, such as the Azure CLI or Azure Resource Manager, the certificate is referenced from AKV via its Key Vault secret identifier. If the secret identifier specifies a version, NGINXaaS will not rotate the certificate. To enable certificate rotation, ensure the secret id does not contain a version, for example, https://myvault.vault.azure.net/secrets/mysecret
. Certificates added via the Azure Portal will automatically be rotated.
Warning:
If your SSL/TLS certificate or your NGINX configuration is in a failed state, the certificate will not be automatically renewed. Fix the respective resource to be in a successful state to enable certificate rotation.
Monitoring Certificates
To view the status of your SSL/TLS certificates, enable monitoring for your NGINXaaS deployment and navigate to the Metrics tab. View the nginxaas.certificates
metric under the nginxaas statistics
metric namespace. The nginxaas.certificates
metric allows you to filter by certificate name and the status of the certificate. The status dimension reports the health of your certificates through the following values:
Status | Description |
---|---|
active |
The certificate was successfully fetched from AKV. |
unauthorized |
Azure returned a 401/403 error when fetching the certificate from AKV, which usually indicates an issue with the deployment’s Managed Identity. |
not found |
Azure returned a 404 error when fetching the certificate from AKV. |
incompatible |
An error occurred while fetching or processing the certificate from AKV. The possible reasons include:
|
