- Notifications
You must be signed in to change notification settings - Fork126
N1C CSG unmanaged certificates#1597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
✅ Deploy Preview will be available once build job completes!
|
mjang commentedDec 18, 2025
@sylwang overall, this is excellent. I plan to comment on a few details. But first, a "big picture" question. I know that you can have unmanaged certs with an instance. I'm tempted to recommend moving unmanaged-certificates.md to the content/nginx-one-console/nginx-configs/certificates directory |
mjang left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Hi@sylwang , you're an excellent writer. My suggested changes mostly relate to F5 styles.
| Unmanaged certificates are SSL/TLS certificates that you install and manage manually on NGINX instances. Unlike managed certificates that are uploaded and distributed through the NGINX One Console, unmanaged certificates are installed directly on individual instances and referenced by their file paths in NGINX configuration files. You are responsible for distributing, updating, and maintaining these certificates across your infrastructure. | ||
| ###Unmanaged certificates in Config Sync Groups |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Markdown format rule (look up MD022)
| ###Unmanaged certificates in Config Sync Groups | |
| ###Unmanaged certificates in Config Sync Groups | |
| Unmanaged certificates are SSL/TLS certificates that you install and manage manually on NGINX instances. Unlike managed certificates that are uploaded and distributed through the NGINX One Console, unmanaged certificates are installed directly on individual instances and referenced by their file paths in NGINX configuration files. You are responsible for distributing, updating, and maintaining these certificates across your infrastructure. | ||
| ###Unmanaged certificates in Config Sync Groups | ||
| Config Sync Groups (CSGs) in NGINX One Console ensure configuration consistency across connected NGINX instances. While managed certificates uploaded through the Console are automatically synchronized and tracked, unmanaged certificates follow a different model that provides visibility without automated management. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Moving phrase to the start of the next paragraph.
| Config Sync Groups (CSGs) in NGINX One Console ensure configuration consistency across connected NGINX instances. While managed certificates uploaded through the Console are automatically synchronized and tracked, unmanaged certificates follow a different model that provides visibility without automated management. | |
| Config Sync Groups (CSGs) in NGINX One Console ensure configuration consistency across connected NGINX instances. While managed certificates uploaded through the Console are automatically synchronized and tracked, unmanaged certificates follow a different model. |
| When you use unmanaged certificates in a CSG, NGINX One Console does not synchronize the certificate files themselves. However, it tracks their metadata to help you verify consistency across instances and understand the state of your certificates. | ||
| ##How unmanaged certificates work in Config Sync Groups | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Suggestion (not a requirement): add an intro to the subsections that follow:
| If you have unmanaged certificates with CSGs, consider the following factors: | |
| ##Requirements for unmanaged certificates | ||
| To use unmanaged certificates effectively in Config Sync Groups, you must: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| To use unmanaged certificates effectively in Config Sync Groups, you must: | |
| To use unmanaged certificates effectively in Config Sync Groups, you must address these issues: |
| -**User responsibility**: Take full responsibility for certificate distribution, updates, and consistency | ||
| ##Important considerations | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| NGINX One Console still helps you track unmanaged certificates: | |
| If certificate file paths differ between instances: | ||
| - CSG publication may fail |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Just checking. Is it CSG or certificate publication that can fail?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If it is CSG publication that can fail, I'd change current line 44 (comment added there)
| ###Synchronization limitations | ||
| -**No automated sync**: Unmanaged certificates are not synchronized by the Console | ||
| -**Manual updates**: You must manually update certificates on each instance when they expire or need rotation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
For consistency:
| -**Manual updates**:You must manuallyupdate certificateson each instance when they expire or need rotation | |
| -**Manual updates**:Certificates mustbemanuallyupdatedon each instance |
| Monitor the**Config Sync Status** column. It can help you ensure that your configurations are consistently applied across all instances in a group. | ||
| ##Working with unmanaged certificates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
We avoid gerunds (-ing words) in section titles. Exception: troubleshooting
| ##Working with unmanaged certificates | |
| ##Work with unmanaged certificates |
| - Certificates are identified by their content and associated instance | ||
| - The CSG displays separate certificate entries in the configuration | ||
| If certificate file paths differ between instances: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
If it's actually CSG publication that may fail, I suggest revising this to:
| Ifcertificatefile paths differbetween instances: | |
| Ifcertificates are identical, but theirfile paths differby instance: |
| ###Certificate inconsistencies | ||
| If you see multiple entries for what should be the same certificate: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I see you've numbered these options. In general, I number steps when users have to do them, in order.
If ordering is not required, I'd replace the numbers with bullets
mjang commentedDec 19, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
FYI, I'll be working Dec 22, 23, 29, 30, 31. I might be the only writer available during these days -- and I have no problem merging on my own, once we've addressed these suggestions. |
Proposed changes
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to thestyle guide for guidance about placeholder content.↩