According to Azure Service Fabric security best practices I should use a self-signed certificate for test clusters, but not for production clusters.
Service fabric clusters are created in cluster.region.cloudapp.azure.com subdomain. I am assuming there is no way to get TLS certificate for that domain signed by proper CA (because cloudapp.azure.com belongs to Microsoft).
Azure can generate only self-signed certificate for that domain but it's against best practices. As I understand there is only one way to follow best practices to have custom domain for service fabric cluster (like sfcluster.mydomain.com) and to buy certificate for it.
Is it correct?
The situation with client certificates is unclear for me as well. Is it wrong to use self-signed client certificates too?