Generate certificate signing requests for Azure Stack

You can use the Azure Stack Readiness Checker tool to create Certificate Signing Requests (CSRs) suitable for an Azure Stack deployment. Certificates should be requested, generated, and validated with enough time to test before deployment. You can get the tool from the PowerShell Gallery.

You can use the Azure Stack Readiness Checker tool (AzsReadinessChecker) to request the following certificates:


Your system should meet the following prerequisites before generating any CSRs for PKI certificates for an Azure Stack deployment:

  • Microsoft Azure Stack Readiness Checker

  • Certificate attributes:

    • Region name
    • External fully qualified domain name (FQDN)
    • Subject
  • Windows 10 or Windows Server 2016 or later


    When you receive your certificates back from your certificate authority, the steps in Prepare Azure Stack PKI certificates will need to be completed on the same system!

Generate certificate signing requests

Use these steps to prepare and validate the Azure Stack PKI certificates:

  1. Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:

        Install-Module Microsoft.AzureStack.ReadinessChecker
  2. Declare the subject as an ordered dictionary. For example:

    $subjectHash = [ordered]@{"OU"="AzureStack";"O"="Microsoft";"L"="Redmond";"ST"="Washington";"C"="US"}


    If a common name (CN) is supplied, this will be overwritten by the first DNS name of the certificate request.

  3. Declare an output directory that already exists. For example:

    $outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"
  4. Declare identity system.

    Azure Active Directory (Azure AD):

    $IdentitySystem = "AAD"

    Active Directory Federation Services (AD FS):

    $IdentitySystem = "ADFS"
  5. Declare region name and an external FQDN intended for the Azure Stack deployment.

    $regionName = 'east'
    $externalFQDN = ''


    <regionName>.<externalFQDN> forms the basis on which all external DNS names in Azure Stack are created, in this example, the portal would be

  6. To generate certificate signing requests for each DNS name:

    New-AzsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subjectHash -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem

    To include PaaS Services, specify the switch -IncludePaaS.

  7. Alternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):

    New-AzsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subjectHash -RequestType SingleCSR -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem

    To include PaaS Services, specify the switch -IncludePaaS

  8. Review the output:

    New-AzsCertificateSigningRequest v1.1809.1005.1 started.
    CSR generating for following SAN(s): dns=****.table.east.azurestack.cont***dn2=**
    Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\username\Documents\AzureStackCSR\wildcard_east_azurestack_contoso_com_CertRequest_20180405233530.req
    Certreq.exe output: CertReq: Request Created
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    New-AzsCertificateSigningRequest Completed
  9. Submit the .REQ file generated to your CA (either internal or public). The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. Be sure that your CA generates certificates using your generated request that meet the Azure Stack PKI Requirements.

Next steps

Prepare Azure Stack PKI certificates