nginx · mjang · Mar 17, 2025 · Mar 17, 2025 · Mar 21, 2025 · Mar 24, 2025
@@ -131,6 +131,10 @@ You can **Add Filter** to filter certificates by:
 
 The Export option supports exports of basic certification file information to a CSV file. It does _not_ include the content of the public certificate or the private key.
 
+## Deployed certificates
+
+A deployed certificate is associated a specific Instance or Config Sync Gruop. That certificate may be Managed or Unmanaged.
+
 ## Add a new certificate or bundle
 
 To add a new certificate, select **Add Certificate**. 
@@ -147,6 +151,8 @@ In each case, you can upload files directly, or enter the content of the certifi
 
 - **Certificate Details**, with the Subject Name, start and end dates. 
 - **Key Details**, with the encryption key size and algorithm, such as RSA
+
+If you add a certificate with NGINX One Console, you've set it up as a managed certificate.
 <!-- end potential "include" -->
 
 ## Edit an existing certificate or bundle
@@ -155,22 +161,24 @@ You can modify existing certificates from the **Certificates** screen. Select th
 
 If that certificate is already managed as part of a Config Sync Group, the changes you make affect all instances in that group.
 
-## Remove a deployed certificate
+## Remove a managed certificate
 
-You can remove a deployed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the instance or group, but it does not delete the certificate files from the instance(s).
+You can remove a managed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s).
-You can remove a managed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s).
+From the configuration editor where you normally modify NGINX configuration files of an independent instance or Config Sync Group, you can click on the "delete" icon of a managed certificate object that was previously deployed to the instance or Config Sync Group. You should be able to see the file paths where it was deployed to. Deleting the managed certificate from the NGINX configuration editor will remove the certificate files from those file paths. If the certificate object is a certificate-key pair, and the private key was deployed, you could optionally choose to delete the deployed key from the independent instance or Config Sync Group, by clicking on the "delete" icon next to the private key file.
-You can remove a managed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s).
+You can delete managed certificates in the following ways:
+
+ -  Navigate to [View and edit NGINX configurations]({{< relref "/nginx-one/how-to/nginx-configs/view-edit-nginx-configurations/" >}})
+    - You can then delete the certificate from the Instance of your choice.
+- Navigate to [Manage Config Sync Groups]({{< relref "/nginx-one/how-to/config-sync-groups/manage-config-sync-groups" >}})
+    - You can then delete the certificate from the Config Sync Group of your choice.
+- Review the list of existing certificates
+    - From the **Actions** menu, you can then delete that certificate
-You can remove a managed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s).
+From the configuration editor where you normally modify NGINX configuration files of an independent instance or Config Sync Group, you can click on the "delete" icon of a managed certificate object that was previously deployed to the instance or Config Sync Group. You should be able to see the file paths where it was deployed to. Deleting the managed certificate from the NGINX configuration editor will remove the certificate files from those file paths. If the certificate object is a certificate-key pair, and the private key was deployed, you could optionally choose to delete the deployed key from the independent instance or Config Sync Group, by clicking on the "delete" icon next to the private key file.
-You can remove a managed certificate from an independent instance or from a Config Sync Group. This will remove the certificate's association with the Instance or group, but it does not delete the certificate files from the Instance(s).
+You can delete managed certificates in the following ways:
+
+ -  Navigate to [View and edit NGINX configurations]({{< relref "/nginx-one/how-to/nginx-configs/view-edit-nginx-configurations/" >}})
+    - You can then delete the certificate from the Instance of your choice.
+- Navigate to [Manage Config Sync Groups]({{< relref "/nginx-one/how-to/config-sync-groups/manage-config-sync-groups" >}})
+    - You can then delete the certificate from the Config Sync Group of your choice.
+- Review the list of existing certificates
+    - From the **Actions** menu, you can then delete that certificate
 
-Every instance with a deployed certificate includes paths to certificates in their configuration files. If you remove the deployed file path to one certificate, that change is limited to that one instance.
+Every Instance with a certificate includes paths to certificates in their configuration files. If you remove one certificate, that change is limited to that one Instance.
-Every Instance with a certificate includes paths to certificates in their configuration files. If you remove one certificate, that change is limited to that one Instance.
+For a managed certificate that was deployed from the console to your data plane instance, you might have chosen to reference the certificate in the NGINX configuration file, using the file paths specified in the certificate deployment. You can choose to remove those certificate references from the NGINX configuration file through the console. This will not affect the deployed certificate on your data plane instance. The certificate and private key files if deployed, will remain on the data plane instance.
+
+If you would like to delete those certificate and private key files from your data plane, follow the instructions above and click on the "delete" icon next to those files in the NGINX configuration editor.
-Every Instance with a certificate includes paths to certificates in their configuration files. If you remove one certificate, that change is limited to that one Instance.
+For a managed certificate that was deployed from the console to your data plane instance, you might have chosen to reference the certificate in the NGINX configuration file, using the file paths specified in the certificate deployment. You can choose to remove those certificate references from the NGINX configuration file through the console. This will not affect the deployed certificate on your data plane instance. The certificate and private key files if deployed, will remain on the data plane instance.
+
+If you would like to delete those certificate and private key files from your data plane, follow the instructions above and click on the "delete" icon next to those files in the NGINX configuration editor.
 
-Every Config Sync Group also includes paths to certificates in its configuration files. If you remove the deployed path to one certificate, that change affects all instances which belong to that Config Sync Group. 
+Every Config Sync Group also includes paths toi _managed_ certificates in its configuration files. If you remove a managed certificate to a Config Sync Group, that change affects all Instances which belong to that Config Sync Group. 
 
-## Delete a deployed certificate
+## Delete a managed certificate
 
 To delete a certificate, find the name in the **Certificates** screen. Find the **Actions** column associated with the certificate. Select the ellipsis (`...`) and then select **Delete**. Before deleting that certificate, you should see a warning.
 
 If that certificate is managed and is part of a Config Sync Group, that change affects all instances in that group.
 
 {{< warning >}} Be cautious if you want to delete certificates that are being used by an instance or a Config Sync Group. Deleting such certificates leads to failure in affected NGINX deployments. {{< /warning >}}
 
+Alternatively, if you want to keep the managed certificate, you can delete its deployment from individual Instances or Config Sync Groups.
+
 ## Managed and unmanaged certificates
 
 If you register an instance to NGINX One Console, as described in [Add your NGINX instances to NGINX One]({{< relref "/nginx-one/getting-started.md#add-your-nginx-instances-to-nginx-one" >}}), and the associated SSL/TLS certificates: