NLB-7335: Add guidance for using the Azure Key Vault Secret Identifiers

rishabh-f5 · rishabh-f5 · commit 651c2143d2a6 · 2025-12-15T08:29:01.000Z
diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-azure-cli.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-azure-cli.md
@@ -43,6 +43,11 @@ az nginx deployment certificate create --certificate-name
       --key-vault-secret-id keyVaultSecretId
    ```
 
+{{< call-out "important" >}}
+The `--key-vault-secret-id` must be the **Secret Identifier**, not the Certificate Identifier.
+To find the Secret Identifier, see [Finding the Azure Key Vault Secret Identifier]({{< ref "/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal/#finding-the-azure-key-vault-secret-identifier" >}}).
+{{< /call-out >}}
+
 See [Azure CLI Certificate Create Documentation](https://learn.microsoft.com/en-us/cli/azure/nginx/deployment/certificate#az-nginx-deployment-certificate-create) for more details on the available parameters.
 
 ## Update a certificate
diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
@@ -16,6 +16,36 @@ You can manage SSL/TSL certificates for F5 NGINXaaS for Azure (NGINXaaS) using t
 
 {{< include "/nginxaas-azure/ssl-tls-prerequisites.md" >}}
 
+## Finding the Azure Key Vault Secret Identifier {#finding-the-azure-key-vault-secret-identifier}
+
+When adding a certificate using the Azure CLI, Terraform, or ARM/Bicep templates, you need to provide the **Secret Identifier** from Azure Key Vault.
+
+{{< call-out "important" >}}
+**Use the Secret Identifier, not the Certificate Identifier.**
+
+When you create a certificate in Azure Key Vault, it creates three related objects:
+
+- A **Certificate** (with a Certificate Identifier)
+- A **Key** (for cryptographic operations)
+- A **Secret** (containing the certificate and private key as a PFX bundle)
+
+NGINXaaS requires the **Secret Identifier** to access the certificate and its private key.
+{{< /call-out >}}
+
+To find the Secret Identifier:
+
+1. Go to your Azure Key Vault in the Azure portal.
+2. Select **Certificates** from the left menu.
+3. Select the certificate you want to use.
+4. Select the current version of the certificate.
+5. Copy the **Secret Identifier** value (not the Certificate Identifier).
+
+The Secret Identifier format is:
+
+```text
+https://{vault-name}.vault.azure.net/secrets/{certificate-name}
+```
+
 ### Adding an SSL/TLS certificate
 
 Before you begin, refer Azure documentation to [Import a certificate to your Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal#import-a-certificate-to-your-key-vault).
