Add certificates using the Azure CLI
You can use Azure Key Vault (AKV) to store SSL/TLS certificates and keys to use in your F5 NGINX as a Service for Azure (NGINXaaS) configuration.
Prerequisites
- AKV to store certificates that you want to add to the deployment.
Note:
The Key Vault firewall should remain in the default “disabled” state.
-
A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your managed identity (MI) has read access to secrets stored in AKV:
-
If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.
-
If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.
-
-
In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have the following permissions:
-
Key Vault Reader or higher permission to view the Key Vault resource.
-
Read access to list certificates inside the Key Vault:
-
If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.
-
If using Access Policies for AKV, ensure that you have GET certificates or higher permissions.
-
-
-
If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.
-
Confirm that you meet the NGINXaaS Prerequisites.
-
Install Azure CLI version 2.59.0 or greater: Azure CLI Installation.
-
Log into your Azure account through the CLI: Azure CLI Authentication.
-
Install the NGINXaaS for Azure extension:
Note:
The extension will automatically install the first time you run anaz nginxcommand.az extension add --name nginx
See Also:
See the NGINXaaS for Azure CLI reference for a complete list of NGINXaaS CLI commands.
Create a certificate
Create a certificate under a deployment. This references an existing certificate in an Azure Key Vault and makes it available to NGINX configuration
To create a certificate, use the az nginx deployment certificate create command:
az nginx deployment certificate create --certificate-name
--deployment-name
--resource-group
[--certificate-path]
[--key-path]
[--key-vault-secret-id]
[--location]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
Example
-
Create a certificate with a certificate path, key path, and key vault secret ID:
az nginx deployment certificate create --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup \ --certificate-path /etc/nginx/test.cert --key-path /etc/nginx/test.key \ --key-vault-secret-id keyVaultSecretId
See Azure CLI Certificate Create Documentation for more details on the available parameters.
Update a certificate
To update a certificate, use the az nginx deployment certificate update command:
az nginx deployment certificate update [--add]
[--certificate-name]
[--certificate-path]
[--deployment-name]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--ids]
[--key-path]
[--key-vault-secret-id]
[--location]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--remove]
[--resource-group]
[--set]
[--subscription]
Example
-
Update the certificate virtual path, key virtual path and certificate:
az nginx deployment certificate update --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup \ --certificate-path /etc/nginx/testupdated.cert \ --key-path /etc/nginx/testupdated.key \ --key-vault-secret-id newKeyVaultSecretId
See Azure CLI Certificate Create Documentation for more details on the available parameters.
Delete a certificate
To delete a certificate, use the az nginx deployment certificate delete command:
az nginx deployment certificate delete [--certificate-name]
[--deployment-name]
[--ids]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]
[--subscription]
[--yes]
Example
-
Delete a certificate:
az nginx deployment certificate delete --certificate-name myCertificate \ --deployment-name myDeployment --resource-group myResourceGroup
See Azure CLI Certificate Delete Documentation for more details on the available parameters.