Prepare Azure Stack PKI certificates for use in deployment or rotation

The certificate files obtained from your CA of choice must be imported and exported with properties matching Azure Stack's certificate requirements.

Prepare certificates for deployment

Use the following steps to prepare and validate the Azure Stack PKI certificates that will be used for deploying a new Azure Stack environment or for rotating secrets in an existing Azure Stack environment.

Import the certificate

  1. Copy the original certificate versions obtained from your CA of choice into a directory on the deployment host.


    Do not copy files that have already been imported, exported, or altered in any way from the files provided directly by the CA.

  2. Right-click on the certificate and select Install Certificate or Install PFX depending on how the certificate was delivered from your CA.

  3. In the Certificate Import Wizard, select Local Machine as the import location. Select Next. On the following screen, click next again.

    Local machine import location

  4. Choose Place all certificate in the following store and then select Enterprise Trust as the location. Click OK to close the certificate store selection dialog box and then Next.

    Configure the certificate store

    a. If you are importing a PFX, you will be presented with an additional dialog. On the Private key protection page, enter the password for your certificate files and then enable the Mark this key as exportable. This allows you to back up or transport your keys at a later time option. Select Next.

    Mark key as exportable

  5. Click Finish to complete the import.


After you import a certificate for Azure Stack, the private key of the certificate is stored as a PKCS 12 file (PFX) on clustered storage.

Export the certificate

Open Certificate Manager MMC console and connect to the Local Machine certificate store.

  1. Open the Microsoft Management Console, in Windows 10 right click on Start Menu, then click Run. Type mmc click ok.

  2. Click File, Add/Remove Snap-In then select Certificates click Add.

    Add Certificates Snap-in

  3. Select Computer account, click next then select Local computer then finish. Click ok to close the Add/Remove Snap-In page.

    Add Certificates Snap-in

  4. Browse to Certificates > Enterprise Trust > Certificate location. Verify that you see your certificate on the right.

  5. From the task bar of Certificate Manager console, select Actions > All Tasks > Export. Select Next.


    Depending on how many Azure Stack certificates you have you may need to complete this process more than once.

  6. Select Yes, Export the Private Key, and then click Next.

  7. In the Export File Format section:

    • Select Include all certificates in the certificate if possible.

    • Select Export all Extended Properties.

    • Select Enable certificate privacy.

    • Click Next.

      Certificate export wizard with selected options

  8. Select Password and provide a password for the certificates. Create a password that meets the following password complexity requirements. A minimum length of eight characters. The password contains at least three of the following: uppercase letter, lowercase letter, numbers from 0-9, special characters, alphabetical character that is neither uppercase nor lowercase. Make note of this password. You will use it as a deployment parameter.

  9. Select Next.

  10. Choose a file name and location for the PFX file to export. Select Next.

  11. Select Finish.

Next steps

Validate PKI certificates