Add SSL/TLS Certificates

Learn how to store certificates and keys with Azure Key Vault.

You can use Azure Key Vault (AKV) to store SSL/TLS certificates and keys to use in your NGINXaaS configuration.

Prerequisites

  • AKV to store certificates that you want to add to the deployment.
Note:
The Key Vault firewall should remain in the default “disabled” state.

  • A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your managed identity (MI) has read access to secrets stored in AKV:

    • If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.

    • If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.

  • If using Azure portal to add certificates, ensure that you have the following permissions:

    • Key Vault Reader or higher permission to view the Key Vault resource.

    • Read access to list certificates inside the Key Vault:

      • If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.

      • If using Access Policies for AKV, ensure that you have GET certificates or higher permissions.

  • If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.

Adding an SSL/TLS Certificate

Before you begin, refer Azure documentation to Import a certificate to your Key Vault.

  1. Go to your NGINXaaS for Azure deployment.

  2. Select NGINX certificates in the left menu.

    NGINX Certificates

  3. Select Add certificate.

  4. Provide the required information.

    Add Certificates
    Field Description
    Name A unique name for the certificate.
    Certificate path This path must match one or more ssl_certificate directive file arguments in your NGINX configuration.
    The certificate path must be unique between certificates within the same deployment.
    Key path This path must match one or more ssl_certificate_key directive file arguments in your NGINX configuration.
    The key path must be unique between certificates within the same deployment.
    The key path and certificate path can be the same within the certificate.
    Key vault Select from the available key vaults.
    Certificate name Select the certificate you want to add from the previously selected key vault.
Note:
If specifying an absolute file path as the Certificate path or Key path, see the NGINX Filesystem Restrictions table for the allowed directories an Auxiliary file can be written to.

  1. Once you save the certificate, the status changes from In Progress to Succeeded.

    Adding a Certificate

    Certificate Added

  2. Repeat the same steps to add as many certificates as needed.

  3. Now you can provide an NGINX configuration that references the certificate you just added by the path value.

Deleting an SSL/TLS Certificate

  1. Select the certificate.

  2. Select Delete.

    Deleting a Certificate

  3. Confirm the delete action.

    Confirm Certificate Deletion
Warning:
Deleting a TLS/SSL certificate currently in-use by the NGINXaaS for Azure deployment will cause an error.

Certificate Rotation

NGINXaaS for Azure regularly polls the Azure Key Vault (AKV) to check if the certificate has been updated. If an updated certificate is found, it is automatically rotated on the deployment within 4 hours. Any change to the NGINX configuration will trigger all SSL/TLS certificates to be rotated immediately.

For Azure client tools, such as the Azure CLI or Azure Resource Manager, the certificate is referenced from AKV via its Key Vault secret identifier. If the secret identifier specifies a version, NGINXaaS will not rotate the certificate. To enable certificate rotation, ensure the secret id does not contain a version, for example, https://myvault.vault.azure.net/secrets/mysecret. Certificates added via the Azure Portal will automatically be rotated.

Warning:
If your SSL/TLS certificate or your NGINX configuration is in a failed state, the certificate will not be automatically renewed. Fix the respective resource to be in a successful state to enable certificate rotation.

Monitoring Certificates

To view the status of your SSL/TLS certificates, enable monitoring for your NGINXaaS deployment and navigate to the Metrics tab. View the nginxaas.certificates metric under the nginxaas statistics metric namespace. The nginxaas.certificates metric allows you to filter by certificate name and the status of the certificate. The status dimension reports the health of your certificates through the following values:

Status Description
active The certificate was successfully fetched from AKV.
unauthorized Azure returned a 401/403 error when fetching the certificate from AKV, which usually indicates an issue with the deployment’s Managed Identity.
not found Azure returned a 404 error when fetching the certificate from AKV.
incompatible An error occurred while fetching or processing the certificate from AKV.

The possible reasons include:

  • Error while downloading certificate and key
  • Missing content type in certificate
  • Missing content in certificate
  • Unrecognized content type, certificate not in PEM or PKCS12 format
nginxaas.certificates Azure metric