Add certificates using the Azure portal

You can add SSL/TLS certificates to your F5 NGINX as a Service for Azure (NGINXaaS) deployment in the following ways:

Add SSL/TLS certificates bundled with NGINXaaS configuration


  1. Upload your SSL/TLS certificate to a file path following the steps outlined in Add an NGINX configuration.

  2. Update your NGINX configuration to reference the SSL certificate you just added by the file path value.

    1. Select the NGINX configuration file from the file path list.

    2. Update the NGINX configuration to reference your SSL/TLS certificate file path.

      user nginx;
worker_processes auto;
worker_rlimit_nofile 8192;
pid /run/nginx/nginx.pid;

events {
   worker_connections 4000;
}

error_log /var/log/nginx/error.log error;

http {
   access_log off;
   server_tokens "";
   server {
      listen 80 default_server;
      listen 443 ssl;
      ssl_certificate /etc/nginx/certs/mycert.cert;
      ssl_certificate_key /etc/nginx/certs/mycert.key;
      server_name localhost;
      location / {
            # Points to a directory with a basic html index file with
            # a "Welcome to NGINX as a Service for Azure!" page
            root /var/www;
            index index.html;
      }
   }
}

  3. Select Submit to apply the new configuration.

Note:
This offers a quick method for adding SSL/TLS certificates to your NGINXaaS deployment. We recommend using SSL/TLS certificates from Azure Key Vault (AKV) for enhanced security. Refer to Add SSL/TLS certificates stored in Azure Key Vault (AKV)

Add SSL/TLS certificates stored in Azure Key Vault (AKV)

Prerequisites

  1. Azure Key Vault (AKV) to store certificates that you want to add to the deployment.

    Note:
    The Key Vault firewall should remain in the default “disabled” state.

  2. A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your managed identity (MI) has read access to secrets stored in AKV:

    • If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.

    • If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.

  3. In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have the following permissions:

    • Key Vault Reader or higher permission to view the Key Vault resource.

    • Read access to list certificates inside the Key Vault:

      • If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.

      • If using Access Policies for AKV, ensure that you have GET certificates or higher permissions.

Tip:
If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.

Adding an SSL/TLS certificate

Before you begin, refer Azure documentation to Import a certificate to your Key Vault.

  1. Go to your NGINXaaS for Azure deployment.

  2. Select NGINX certificates in the left menu.

  3. Select Add certificate.

  4. Provide the required information:

    Field Description
    Name A unique name for the certificate.
    Certificate path This path can match one or more ssl_certificate directive file arguments in your NGINX configuration.
    The certificate path must be unique within the same deployment.
    Key path This path can match one or more ssl_certificate_key directive file arguments in your NGINX configuration.
    The key path must be unique within the same deployment.
    The key path and certificate path can be the same within the certificate.
    • The Select certificate button will take you to a new screen where you will need to provide the following information:
    Field Description
    Key vault Select from the available key vaults.
    Certificate Select the certificate you want to add from the previously selected key vault.

    If you need to create a new key vault or certificate, you can do so by selecting Create new key vault or Create new under the Key Vault and Certificate fields, respectively.

    Note:
    If specifying an absolute file path as the Certificate path or Key path, see the NGINX Filesystem Restrictions table for the allowed directories the file can be written to.
    Note:
    A certificate added to an NGINXaaS for Azure deployment using the Azure Portal refers to an unversioned Azure Key Vault (AKV) secret identifier. To add a certificate with a versioned AKV secret identifier, follow the documented steps with alternative Client tools for NGINXaaS for Azure.

  5. Select Add certificate.

  6. Repeat the same steps to add as many certificates as needed.

  7. Now you can provide an NGINX configuration that references the certificate you just added by the path value.

View certificate details

  1. Go to your NGINXaaS for Azure deployment and select NGINX certificates in the left menu.

  2. Select the name of the certificate from the list.

  3. View the certificate details, including the certificate path, key path, thumbprint, and the certificate’s status. This view will also show in a red box any errors that occurred during the certificate fetch process.

Edit an SSL/TLS certificate

  1. Go to your NGINXaaS for Azure deployment and select NGINX certificates in the left menu.

  2. Select the checkbox next to the certificate you want to edit.

  3. Select Edit.

  4. Update the Name, Certificate path, Key path fields as needed.

  5. Use the Select certificate option to update the Key vault, and Certificate fields as needed.

  6. Select Update.

Delete an SSL/TLS certificate

  1. Go to your NGINXaaS for Azure deployment and select NGINX certificates in the left menu.

  2. Select the checkbox next to the certificate you want to delete.

  3. Select Delete.

  4. Confirm the delete action.

Warning:
Deleting a TLS/SSL certificate currently in-use by the NGINXaaS for Azure deployment will cause an error.

Certificate rotation

NGINXaaS for Azure regularly polls the Azure Key Vault (AKV) to check if the certificate has been updated. If an updated certificate is found, it is automatically rotated on the deployment within 4 hours. Any change to the NGINX configuration will trigger all SSL/TLS certificates to be rotated immediately.

For Azure client tools, such as the Azure CLI or Azure Resource Manager, the certificate is referenced from AKV using its Key Vault secret identifier. If the secret identifier specifies a version, NGINXaaS will not rotate the certificate. To enable certificate rotation, ensure the secret id does not contain a version, for example, https://myvault.vault.azure.net/secrets/mysecret. Certificates added using the Azure Portal will automatically be rotated.

Warning:
If any of your SSL/TLS certificates or your NGINX configuration has issues, the certificates will not be rotated.

Monitoring certificates

To view the status of your SSL/TLS certificates, enable monitoring for your NGINXaaS deployment and navigate to the Metrics tab. View the nginxaas.certificates metric under the nginxaas statistics metric namespace. The nginxaas.certificates metric allows you to filter by certificate name and the status of the certificate. The status dimension reports the health of your certificates through the following values:

Status Description
active The certificate was successfully fetched from AKV.
unauthorized Azure returned a 401/403 error when fetching the certificate from AKV, which usually indicates an issue with the deployment’s Managed Identity.
not found Azure returned a 404 error when fetching the certificate from AKV.
incompatible An error occurred while fetching or processing the certificate from AKV.

The possible reasons include:

  • Error while downloading certificate and key
  • Missing content type in certificate
  • Missing content in certificate
  • Unrecognized content type, certificate not in PEM or PKCS12 format

Interface screenshot showing the Azure metric nginxaas.certificates

What’s next

Upload an NGINX Configuration

Last modified September 3, 2024