Add certificates using the Azure portal

You can add SSL/TLS certificates to your NGINXaaS deployment in the following ways:

Add SSL/TLS certificates bundled with NGINXaaS configuration


  1. Upload your SSL/TLS certificate to a file path following the steps outlined in Add an NGINX configuration.

  2. Update your NGINX configuration to reference the SSL certificate you just added by the file path value.

    1. Select the NGINX configuration file from the file path list.

    2. Update the NGINX configuration to reference your SSL/TLS certificate file path.

      user nginx;
      worker_processes auto;
      worker_rlimit_nofile 8192;
      pid /run/nginx/nginx.pid;
      
      events {
         worker_connections 4000;
      }
      
      error_log /var/log/nginx/error.log error;
      
      http {
         access_log off;
         server_tokens "";
         server {
            listen 80 default_server;
            listen 443 ssl;
            ssl_certificate /etc/nginx/certs/mycert.cert;
            ssl_certificate_key /etc/nginx/certs/mycert.key;
            server_name localhost;
            location / {
                  # Points to a directory with a basic html index file with
                  # a "Welcome to NGINX as a Service for Azure!" page
                  root /var/www;
                  index index.html;
            }
         }
      }
      
  3. Select Submit to apply the new configuration.

Note:
This offers a quick method for adding SSL/TLS certificates to your NGINXaaS deployment. We recommend using SSL/TLS certificates from Azure Key Vault (AKV) for enhanced security. Refer to Add SSL/TLS certificates stored in Azure Key Vault (AKV)

Add SSL/TLS certificates stored in Azure Key Vault (AKV)

Prerequisites

  • AKV to store certificates that you want to add to the deployment.
Note:
The Key Vault firewall should remain in the default “disabled” state.
  • A user or system assigned identity associated with your NGINXaaS deployment. Ensure that your managed identity (MI) has read access to secrets stored in AKV:

    • If using Azure RBAC for AKV, ensure that your MI has Key Vault Secrets User or higher permissions.

    • If using Access Policies for AKV, ensure that your MI has GET secrets or higher permissions.

  • In addition to the MI permissions, if using the Azure portal to manage certificates, ensure that you have the following permissions:

    • Key Vault Reader or higher permission to view the Key Vault resource.

    • Read access to list certificates inside the Key Vault:

      • If using Azure RBAC for AKV, ensure that you have Key Vault Reader or higher permissions.

      • If using Access Policies for AKV, ensure that you have GET certificates or higher permissions.

  • If you’re unfamiliar with Azure Key Vault, check out the Azure Key Vault concepts documentation from Microsoft.

Adding an SSL/TLS certificate

Before you begin, refer Azure documentation to Import a certificate to your Key Vault.

  1. Go to your NGINXaaS for Azure deployment.

  2. Select NGINX certificates in the left menu.

    NGINX Certificates
  3. Select Add certificate.

  4. Provide the required information.

    Add Certificates
    Field Description
    Name A unique name for the certificate.
    Certificate path This path must match one or more ssl_certificate directive file arguments in your NGINX configuration.
    The certificate path must be unique between certificates within the same deployment.
    Key path This path must match one or more ssl_certificate_key directive file arguments in your NGINX configuration.
    The key path must be unique between certificates within the same deployment.
    The key path and certificate path can be the same within the certificate.
    Key vault Select from the available key vaults.
    Certificate name Select the certificate you want to add from the previously selected key vault.
Note:
If specifying an absolute file path as the Certificate path or Key path, see the NGINX Filesystem Restrictions table for the allowed directories an Auxiliary file can be written to.
Note:
A certificate added to an NGINXaaS for Azure deployment using the Azure Portal refers to an unversioned Azure Key Vault (AKV) secret identifier. To add a certificate with a versioned AKV secret identifier, follow the documented steps with alternative Client tools for NGINXaaS for Azure.
  1. Once you save the certificate, the status changes from In Progress to Succeeded.

    Adding a Certificate

    Certificate Added

  2. Repeat the same steps to add as many certificates as needed.

  3. Now you can provide an NGINX configuration that references the certificate you just added by the path value.

Deleting an SSL/TLS certificate

  1. Select the certificate.

  2. Select Delete.

    Deleting a Certificate
  3. Confirm the delete action.

    Confirm Certificate Deletion
Warning:
Deleting a TLS/SSL certificate currently in-use by the NGINXaaS for Azure deployment will cause an error.

Certificate rotation

NGINXaaS for Azure regularly polls the Azure Key Vault (AKV) to check if the certificate has been updated. If an updated certificate is found, it is automatically rotated on the deployment within 4 hours. Any change to the NGINX configuration will trigger all SSL/TLS certificates to be rotated immediately.

For Azure client tools, such as the Azure CLI or Azure Resource Manager, the certificate is referenced from AKV using its Key Vault secret identifier. If the secret identifier specifies a version, NGINXaaS will not rotate the certificate. To enable certificate rotation, ensure the secret id does not contain a version, for example, https://myvault.vault.azure.net/secrets/mysecret. Certificates added using the Azure Portal will automatically be rotated.

Warning:
If any of your SSL/TLS certificates or your NGINX configuration has issues, the certificates will not be rotated.

Monitoring certificates

To view the status of your SSL/TLS certificates, enable monitoring for your NGINXaaS deployment and navigate to the Metrics tab. View the nginxaas.certificates metric under the nginxaas statistics metric namespace. The nginxaas.certificates metric allows you to filter by certificate name and the status of the certificate. The status dimension reports the health of your certificates through the following values:

Status Description
active The certificate was successfully fetched from AKV.
unauthorized Azure returned a 401/403 error when fetching the certificate from AKV, which usually indicates an issue with the deployment’s Managed Identity.
not found Azure returned a 404 error when fetching the certificate from AKV.
incompatible An error occurred while fetching or processing the certificate from AKV.

The possible reasons include:

  • Error while downloading certificate and key
  • Missing content type in certificate
  • Missing content in certificate
  • Unrecognized content type, certificate not in PEM or PKCS12 format
nginxaas.certificates Azure metric

What’s next

Upload an NGINX Configuration