From c00044cdecec58ad03d44f71c15b527e5c105173 Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Wed, 17 Dec 2025 14:44:34 -0800 Subject: [PATCH 1/3] N1C CSG unmanaged certificates --- content/nginx-one-console/changelog.md | 6 + .../unmanaged-certificates.md | 112 ++++++++++++++++++ 2 files changed, 118 insertions(+) create mode 100644 content/nginx-one-console/nginx-configs/config-sync-groups/unmanaged-certificates.md diff --git a/content/nginx-one-console/changelog.md b/content/nginx-one-console/changelog.md index f6401eeda..4cfef1acf 100644 --- a/content/nginx-one-console/changelog.md +++ b/content/nginx-one-console/changelog.md @@ -9,6 +9,12 @@ nd-docs: DOCS-1394 Stay up-to-date with what's new and improved in the F5 NGINX One Console. +## December 30, 2025 + +### Config Sync Groups: Support for unmanaged certificates + +Config Sync Groups now support unmanaged certificates. You can reference SSL/TLS certificates managed outside of NGINX One Console in your configuration files while maintaining centralized configuration synchronization across all instances in the group. + ## November 25, 2025 ### Observability: Usage metrics data now available for Config Sync Groups diff --git a/content/nginx-one-console/nginx-configs/config-sync-groups/unmanaged-certificates.md b/content/nginx-one-console/nginx-configs/config-sync-groups/unmanaged-certificates.md new file mode 100644 index 000000000..f3a44d416 --- /dev/null +++ b/content/nginx-one-console/nginx-configs/config-sync-groups/unmanaged-certificates.md @@ -0,0 +1,112 @@ +--- +nd-content-type: concept +nd-docs: DOCS-000 +nd-product: NONECO +title: Unmanaged certificates in Config Sync Groups +toc: true +weight: 500 +--- + +## Overview + +Config Sync Groups (CSGs) in NGINX One Console ensure configuration consistency across connected NGINX instances. While managed certificates uploaded through the Console are automatically synchronized and tracked, unmanaged certificates follow a different model that provides visibility without automated management. + +Unmanaged certificates are not uploaded to the NGINX One Console. Instead, they are manually installed on individual instances and referenced directly in NGINX configuration files by their file paths. Although NGINX One does not synchronize unmanaged certificates, it tracks their metadata to help you verify consistency across instances. + +## How unmanaged certificates work in Config Sync Groups + +### Certificate tracking and visibility + +When you use unmanaged certificates in a Config Sync Group: + +- The NGINX Agent collects certificate metadata from each instance +- The Console displays unmanaged certificates based on their file paths and metadata +- Certificate consistency is determined by comparing certificate contents and file paths across instances + +### Consistent certificates + +When all instances in a CSG reference identical certificate files with the same file paths: + +- Their contents and metadata match across all instances +- The CSG displays a single unmanaged certificate entry for that file path + +### Inconsistent certificates + +If certificate contents differ between instances, even when file paths are the same: + +- Each unique certificate appears as a separate unmanaged entry in the Console +- Certificates are identified by their content and associated instance +- The CSG displays separate certificate entries in the configuration + +If certificate file paths differ between instances: + +- CSG publication may fail +- The CSG configuration will be out of sync +- Instances may not receive proper configuration updates + +## Requirements for unmanaged certificates + +To use unmanaged certificates effectively in Config Sync Groups, you must: + +- **Manual installation**: Install certificates manually on each NGINX instance in the CSG +- **Identical file paths**: Ensure that file paths referencing unmanaged certificates are identical across all instances +- **Content consistency**: Maintain identical certificate file contents across all instances to ensure proper tracking +- **User responsibility**: Take full responsibility for certificate distribution, updates, and consistency + +## Important considerations + +### Certificate tracking + +- The NGINX One Console tracks unmanaged certificates by their content and file paths +- When certificates are consistent across all instances, their contents and metadata match, and a single consolidated entry appears in the CSG +- If certificate content differs between instances, multiple unique unmanaged certificates are displayed as separate entries + +### Synchronization limitations + +- **No automated sync**: Unmanaged certificates are not synchronized by the Console +- **Manual updates**: You must manually update certificates on each instance when they expire or need rotation +- **No validation**: The Console does not perform validation or rotation logic for unmanaged certificates + +### Configuration options + +If you don't want metadata tracking for unmanaged certificates, you can configure the NGINX Agent to ignore certificate directories using the `allowed_directories` setting. + +## Best practices + +### Converting to managed certificates + +To maintain consistent visibility and automated management across CSGs, consider converting unmanaged certificates to managed certificates by: + +1. Uploading them through the NGINX One Console +2. Leveraging the managed certificate solution for automated synchronization +3. Taking advantage of centralized certificate management features + +## Troubleshooting + +### Certificate inconsistencies + +If you see multiple entries for what should be the same certificate: + +1. Verify that file paths are identical across all instances +2. Check that certificate file contents match across all instances +3. Ensure certificates were installed correctly on all instances +4. Review NGINX Agent logs for any collection issues + +If CSG publication is failing or configurations are out of sync: + +1. Confirm that all certificate file paths are identical across instances +2. Verify that referenced certificate files exist on all instances +3. Check NGINX configuration syntax for certificate references + +### Visibility issues + +If unmanaged certificates aren't appearing in the Console: + +1. Confirm that the NGINX Agent is running and connected +2. Check that certificate directories are not excluded by `allowed_directories` settings +3. Verify that NGINX configuration files correctly reference the certificate paths + +## Related topics + +- [Manage Config Sync Groups]({{< ref "manage-config-sync-groups.md" >}}) +- [Add a file to a Config Sync Group]({{< ref "add-file-csg.md" >}}) \ No newline at end of file From 612db838d6dd37c0601954a4e74b7f34d7620d03 Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Thu, 18 Dec 2025 17:48:31 -0800 Subject: [PATCH 2/3] move csg-unmanaged-certificates doc under certificates section --- .../csg-unmanaged-certificates.md} | 7 +++++-- .../config-sync-groups/manage-config-sync-groups.md | 13 +++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) rename content/nginx-one-console/nginx-configs/{config-sync-groups/unmanaged-certificates.md => certificates/csg-unmanaged-certificates.md} (86%) diff --git a/content/nginx-one-console/nginx-configs/config-sync-groups/unmanaged-certificates.md b/content/nginx-one-console/nginx-configs/certificates/csg-unmanaged-certificates.md similarity index 86% rename from content/nginx-one-console/nginx-configs/config-sync-groups/unmanaged-certificates.md rename to content/nginx-one-console/nginx-configs/certificates/csg-unmanaged-certificates.md index f3a44d416..ef0b4c43d 100644 --- a/content/nginx-one-console/nginx-configs/config-sync-groups/unmanaged-certificates.md +++ b/content/nginx-one-console/nginx-configs/certificates/csg-unmanaged-certificates.md @@ -4,14 +4,17 @@ nd-docs: DOCS-000 nd-product: NONECO title: Unmanaged certificates in Config Sync Groups toc: true -weight: 500 +weight: 200 --- ## Overview +Unmanaged certificates are SSL/TLS certificates that you install and manage manually on NGINX instances. Unlike managed certificates that are uploaded and distributed through the NGINX One Console, unmanaged certificates are installed directly on individual instances and referenced by their file paths in NGINX configuration files. You are responsible for distributing, updating, and maintaining these certificates across your infrastructure. + +### Unmanaged certificates in Config Sync Groups Config Sync Groups (CSGs) in NGINX One Console ensure configuration consistency across connected NGINX instances. While managed certificates uploaded through the Console are automatically synchronized and tracked, unmanaged certificates follow a different model that provides visibility without automated management. -Unmanaged certificates are not uploaded to the NGINX One Console. Instead, they are manually installed on individual instances and referenced directly in NGINX configuration files by their file paths. Although NGINX One does not synchronize unmanaged certificates, it tracks their metadata to help you verify consistency across instances. +When you use unmanaged certificates in a CSG, NGINX One Console does not synchronize the certificate files themselves. However, it tracks their metadata to help you verify consistency across instances and understand the state of your certificates. ## How unmanaged certificates work in Config Sync Groups diff --git a/content/nginx-one-console/nginx-configs/config-sync-groups/manage-config-sync-groups.md b/content/nginx-one-console/nginx-configs/config-sync-groups/manage-config-sync-groups.md index d375bafdc..6e4c7caf5 100644 --- a/content/nginx-one-console/nginx-configs/config-sync-groups/manage-config-sync-groups.md +++ b/content/nginx-one-console/nginx-configs/config-sync-groups/manage-config-sync-groups.md @@ -329,6 +329,19 @@ The **Config Sync Status** column on the **Config Sync Groups** page provides in Monitor the **Config Sync Status** column. It can help you ensure that your configurations are consistently applied across all instances in a group. +## Working with unmanaged certificates + +Config Sync Groups can work with both managed and unmanaged certificates. While managed certificates are uploaded through the NGINX One Console and automatically synchronized across instances, unmanaged certificates require manual installation and management. + +When using unmanaged certificates in Config Sync Groups: + +- **Manual distribution**: You must manually install certificates on each instance in the group +- **Consistent file paths**: Certificate file paths must be identical across all instances for proper synchronization +- **Visibility without management**: NGINX One tracks unmanaged certificate metadata to help you verify consistency, but does not synchronize the certificates themselves +- **Status impact**: Inconsistent certificate file paths or missing certificates can affect the Config Sync Group status + +For detailed information about how unmanaged certificates work in Config Sync Groups, including requirements, best practices, and troubleshooting, see [Unmanaged certificates in Config Sync Groups]({{< ref "/nginx-one-console/certificates/csg-unmanaged-certificates.md" >}}). + ## See also - [Create and manage data plane keys]({{< ref "/nginx-one-console/connect-instances/create-manage-data-plane-keys.md" >}}) From 15c38adbf48e30cb6644ee54e61bd465db35e24e Mon Sep 17 00:00:00 2001 From: Sylvia Wang Date: Thu, 18 Dec 2025 22:50:12 -0800 Subject: [PATCH 3/3] update doc ref for csg unmanaged cert --- .../config-sync-groups/manage-config-sync-groups.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/nginx-one-console/nginx-configs/config-sync-groups/manage-config-sync-groups.md b/content/nginx-one-console/nginx-configs/config-sync-groups/manage-config-sync-groups.md index 6e4c7caf5..0be279854 100644 --- a/content/nginx-one-console/nginx-configs/config-sync-groups/manage-config-sync-groups.md +++ b/content/nginx-one-console/nginx-configs/config-sync-groups/manage-config-sync-groups.md @@ -340,7 +340,7 @@ When using unmanaged certificates in Config Sync Groups: - **Visibility without management**: NGINX One tracks unmanaged certificate metadata to help you verify consistency, but does not synchronize the certificates themselves - **Status impact**: Inconsistent certificate file paths or missing certificates can affect the Config Sync Group status -For detailed information about how unmanaged certificates work in Config Sync Groups, including requirements, best practices, and troubleshooting, see [Unmanaged certificates in Config Sync Groups]({{< ref "/nginx-one-console/certificates/csg-unmanaged-certificates.md" >}}). +For detailed information about how unmanaged certificates work in Config Sync Groups, including requirements, best practices, and troubleshooting, see [Unmanaged certificates in Config Sync Groups]({{< ref "/nginx-one-console/nginx-configs/certificates/csg-unmanaged-certificates.md" >}}). ## See also