Add certificates using the Azure CLI

You can use Azure Key Vault (AKV) to store SSL/TLS certificates and keys to use in your F5 NGINX as a Service for Azure (NGINXaaS) configuration.

Prerequisites

  • AKV to store certificates that you want to add to the deployment.
Note:
The Key Vault firewall should remain in the default “disabled” state.
  • A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your managed identity (MI) has read access to secrets stored in AKV:

    • If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.

    • If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.

  • In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have the following permissions:

    • Read access to list certificates inside the Key Vault:

      • If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.

      • If using Access Policies for AKV, ensure that you have LIST certificates or higher permissions.

  • If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.

  • Confirm that you meet the NGINXaaS Prerequisites.

  • Install Azure CLI version 2.59.0 or greater: Azure CLI Installation.

  • Log into your Azure account through the CLI: Azure CLI Authentication.

  • Install the NGINXaaS for Azure extension:

    Note:
    The extension will automatically install the first time you run an az nginx command.
    az extension add --name nginx
    
See Also:
See the NGINXaaS for Azure CLI reference for a complete list of NGINXaaS CLI commands.

Create a certificate

Create a certificate under a deployment. This references an existing certificate in an Azure Key Vault and makes it available to NGINX configuration

To create a certificate, use the az nginx deployment certificate create command:

az nginx deployment certificate create --certificate-name
                                       --deployment-name
                                       --resource-group
                                       [--certificate-path]
                                       [--key-path]
                                       [--key-vault-secret-id]
                                       [--location]
                                       [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]

Example

  • Create a certificate with a certificate path, key path, and key vault secret ID:

    az nginx deployment certificate create --certificate-name myCertificate \
       --deployment-name myDeployment --resource-group myResourceGroup \
       --certificate-path /etc/nginx/test.cert --key-path /etc/nginx/test.key \
       --key-vault-secret-id keyVaultSecretId
    

See Azure CLI Certificate Create Documentation for more details on the available parameters.

Update a certificate

To update a certificate, use the az nginx deployment certificate update command:

az nginx deployment certificate update [--add]
                                       [--certificate-name]
                                       [--certificate-path]
                                       [--deployment-name]
                                       [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                       [--ids]
                                       [--key-path]
                                       [--key-vault-secret-id]
                                       [--location]
                                       [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                       [--remove]
                                       [--resource-group]
                                       [--set]
                                       [--subscription]

Example

  • Update the certificate virtual path, key virtual path and certificate:

    az nginx deployment certificate update --certificate-name myCertificate \
       --deployment-name myDeployment --resource-group myResourceGroup \
       --certificate-path /etc/nginx/testupdated.cert \
       --key-path /etc/nginx/testupdated.key \
       --key-vault-secret-id newKeyVaultSecretId
    

See Azure CLI Certificate Create Documentation for more details on the available parameters.

Delete a certificate

To delete a certificate, use the az nginx deployment certificate delete command:

az nginx deployment certificate delete [--certificate-name]
                                       [--deployment-name]
                                       [--ids]
                                       [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                       [--resource-group]
                                       [--subscription]
                                       [--yes]

Example

  • Delete a certificate:

    az nginx deployment certificate delete --certificate-name myCertificate \
       --deployment-name myDeployment --resource-group myResourceGroup
    

See Azure CLI Certificate Delete Documentation for more details on the available parameters.


Last modified June 4, 2024