From 651c2143d2a652f144fad8aed791b15ae05ee693 Mon Sep 17 00:00:00 2001
From: Rishabh Rana <r.rana@f5.com>
Date: Mon, 15 Dec 2025 08:29:01 +0000
Subject: [PATCH 1/3] NLB-7335: Add guidance for using the Azure Key Vault
 Secret Identifiers

---
 .../ssl-tls-certificates-azure-cli.md         |  5 ++++
 .../ssl-tls-certificates-portal.md            | 30 +++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-azure-cli.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-azure-cli.md
index 408f5df05..f201a6679 100644
--- a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-azure-cli.md
+++ b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-azure-cli.md
@@ -43,6 +43,11 @@ az nginx deployment certificate create --certificate-name
       --key-vault-secret-id keyVaultSecretId
    ```
 
+{{< call-out "important" >}}
+The `--key-vault-secret-id` must be the **Secret Identifier**, not the Certificate Identifier.
+To find the Secret Identifier, see [Finding the Azure Key Vault Secret Identifier]({{< ref "/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal/#finding-the-azure-key-vault-secret-identifier" >}}).
+{{< /call-out >}}
+
 See [Azure CLI Certificate Create Documentation](https://learn.microsoft.com/en-us/cli/azure/nginx/deployment/certificate#az-nginx-deployment-certificate-create) for more details on the available parameters.
 
 ## Update a certificate
diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
index c85a0bb79..80dd0f350 100644
--- a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
+++ b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
@@ -16,6 +16,36 @@ You can manage SSL/TSL certificates for F5 NGINXaaS for Azure (NGINXaaS) using t
 
 {{< include "/nginxaas-azure/ssl-tls-prerequisites.md" >}}
 
+## Finding the Azure Key Vault Secret Identifier {#finding-the-azure-key-vault-secret-identifier}
+
+When adding a certificate using the Azure CLI, Terraform, or ARM/Bicep templates, you need to provide the **Secret Identifier** from Azure Key Vault.
+
+{{< call-out "important" >}}
+**Use the Secret Identifier, not the Certificate Identifier.**
+
+When you create a certificate in Azure Key Vault, it creates three related objects:
+
+- A **Certificate** (with a Certificate Identifier)
+- A **Key** (for cryptographic operations)
+- A **Secret** (containing the certificate and private key as a PFX bundle)
+
+NGINXaaS requires the **Secret Identifier** to access the certificate and its private key.
+{{< /call-out >}}
+
+To find the Secret Identifier:
+
+1. Go to your Azure Key Vault in the Azure portal.
+2. Select **Certificates** from the left menu.
+3. Select the certificate you want to use.
+4. Select the current version of the certificate.
+5. Copy the **Secret Identifier** value (not the Certificate Identifier).
+
+The Secret Identifier format is:
+
+```text
+https://{vault-name}.vault.azure.net/secrets/{certificate-name}
+```
+
 ### Adding an SSL/TLS certificate
 
 Before you begin, refer Azure documentation to [Import a certificate to your Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-import-certificate?tabs=azure-portal#import-a-certificate-to-your-key-vault).

From 442b68c54fb4aeae0fc56b7d6df911d63e600fe5 Mon Sep 17 00:00:00 2001
From: Rishabh Rana <r.rana@f5.com>
Date: Mon, 15 Dec 2025 10:21:30 +0000
Subject: [PATCH 2/3] NLB-7335: remove anchor from heading

---
 .../ssl-tls-certificates-portal.md                     | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
index 80dd0f350..fbdb12064 100644
--- a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
+++ b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
@@ -16,7 +16,7 @@ You can manage SSL/TSL certificates for F5 NGINXaaS for Azure (NGINXaaS) using t
 
 {{< include "/nginxaas-azure/ssl-tls-prerequisites.md" >}}
 
-## Finding the Azure Key Vault Secret Identifier {#finding-the-azure-key-vault-secret-identifier}
+## Finding the Azure Key Vault Secret Identifier
 
 When adding a certificate using the Azure CLI, Terraform, or ARM/Bicep templates, you need to provide the **Secret Identifier** from Azure Key Vault.
 
@@ -35,10 +35,10 @@ NGINXaaS requires the **Secret Identifier** to access the certificate and its pr
 To find the Secret Identifier:
 
 1. Go to your Azure Key Vault in the Azure portal.
-2. Select **Certificates** from the left menu.
-3. Select the certificate you want to use.
-4. Select the current version of the certificate.
-5. Copy the **Secret Identifier** value (not the Certificate Identifier).
+1. Select **Certificates** from the left menu.
+1. Select the certificate you want to use.
+1. Select the current version of the certificate.
+1. Copy the **Secret Identifier** value (not the Certificate Identifier).
 
 The Secret Identifier format is:
 

From b5366cee403a7683ac23a8439f6188f6efdf1ace Mon Sep 17 00:00:00 2001
From: Rishabh Rana <r.rana@f5.com>
Date: Mon, 15 Dec 2025 17:43:32 +0000
Subject: [PATCH 3/3] NLB-7335: remove azure key vault objects

---
 .../ssl-tls-certificates/ssl-tls-certificates-portal.md     | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
index fbdb12064..ba27b7439 100644
--- a/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
+++ b/content/nginxaas-azure/getting-started/ssl-tls-certificates/ssl-tls-certificates-portal.md
@@ -23,12 +23,6 @@ When adding a certificate using the Azure CLI, Terraform, or ARM/Bicep templates
 {{< call-out "important" >}}
 **Use the Secret Identifier, not the Certificate Identifier.**
 
-When you create a certificate in Azure Key Vault, it creates three related objects:
-
-- A **Certificate** (with a Certificate Identifier)
-- A **Key** (for cryptographic operations)
-- A **Secret** (containing the certificate and private key as a PFX bundle)
-
 NGINXaaS requires the **Secret Identifier** to access the certificate and its private key.
 {{< /call-out >}}