question

mimckitt avatar image
0 Votes"
mimckitt asked ·

Trending on MSDN: Self-Signed Certificates for Azure Service Fabric

According to Azure Service Fabric security best practices I should use a self-signed certificate for test clusters, but not for production clusters.

Service fabric clusters are created in cluster.region.cloudapp.azure.com subdomain. I am assuming there is no way to get TLS certificate for that domain signed by proper CA (because cloudapp.azure.com belongs to Microsoft).

Azure can generate only self-signed certificate for that domain but it's against best practices. As I understand there is only one way to follow best practices to have custom domain for service fabric cluster (like sfcluster.mydomain.com) and to buy certificate for it.

Is it correct?

The situation with client certificates is unclear for me as well. Is it wrong to use self-signed client certificates too?

Sourced from MSDN

azure-service-fabric
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

olufemiaMSFT avatar image
0 Votes"
olufemiaMSFT answered ·

Welcome to the Microsoft Q&A (Preview) platform. Happy to answer your questions.

You are correct. Since the Azure domain is not something you can get an official cert for as it is owned by Microsoft you need to setup a custom domain name for your cluster and map it to the one provided to you when creating your cluster. 

 As per your second question, there is nothing wrong with using Self Signed certs however it is not recommended for production clusters. For dev clusters there is no reason to pay for a certified cert. 

Sourced from MSDN

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.