Azure Stack certificates signing request generation
The Azure Stack Readiness Checker tool described in this article is available from the PowerShell Gallery. The tool creates Certificate Signing Requests (CSRs) suitable for an Azure Stack deployment. Certificates should be requested, generated, and validated with enough time to test before deployment.
The Azure Stack Readiness Checker tool (AzsReadinessChecker) performs the following certificate requests:
- Standard Certificate Requests
Request according to Generate PKI Certificates for Azure Stack Deployment. - Platform-as-a-Service
You can request platform-as-a-service (PaaS) names for certificates as specified in Azure Stack Public Key Infrastructure certificate requirements - Optional PaaS Certificates.
Prerequisites
Your system should meet the following prerequisites before generating the CSR(s) for PKI certificates for an Azure Stack deployment:
- Microsoft Azure Stack Readiness Checker
- Certificate attributes:
- Region name
- External fully qualified domain name (FQDN)
- Subject
Windows 10 or Windows Server 2016
Note
When you receive your certificates back from your certificate authority the steps in Prepare Azure Stack PKI certificates will need to be completed on the same system!
Generate certificate signing request(s)
Use these steps to prepare and validate the Azure Stack PKI certificates:
Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:
Install-Module Microsoft.AzureStack.ReadinessCheckerDeclare the subject as an ordered dictionary. For example:
$subjectHash = [ordered]@{"OU"="AzureStack";"O"="Microsoft";"L"="Redmond";"ST"="Washington";"C"="US"}Note
If a common name (CN) is supplied this will be overwritten by the first DNS name of the certificate request.
Declare an output directory that already exists. For example:
$outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"Declare identity system
Azure Active Directory
$IdentitySystem = "AAD"Active Directory Federation Services
$IdentitySystem = "ADFS"Declare region name and an external FQDN intended for the Azure Stack deployment.
$regionName = 'east' $externalFQDN = 'azurestack.contoso.com'Note
<regionName>.<externalFQDN>forms the basis on which all external DNS names in Azure Stack are created, in this example, the portal would beportal.east.azurestack.contoso.com.To generate certificate signing requests for each DNS name:
New-AzsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subjectHash -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystemTo include PaaS Services, specify the switch
-IncludePaaSAlternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):
New-AzsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subjectHash -RequestType SingleCSR -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystemTo include PaaS Services, specify the switch
-IncludePaaSReview the output:
New-AzsCertificateSigningRequest v1.1809.1005.1 started. CSR generating for following SAN(s): dns=*.east.azurestack.contoso.com&dns=*.blob.east.azurestack.contoso.com&dns=*.queue.east.azurestack.contoso.com&dns=*.table.east.azurestack.cont oso.com&dns=*.vault.east.azurestack.contoso.com&dns=*.adminvault.east.azurestack.contoso.com&dns=portal.east.azurestack.contoso.com&dns=adminportal.east.azurestack.contoso.com&dns=ma nagement.east.azurestack.contoso.com&dns=adminmanagement.east.azurestack.contoso.com*dn2=*.adminhosting.east.azurestack.contoso.com@dns=*.hosting.east.azurestack.contoso.com Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\username\Documents\AzureStackCSR\wildcard_east_azurestack_contoso_com_CertRequest_20180405233530.req Certreq.exe output: CertReq: Request Created Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log New-AzsCertificateSigningRequest CompletedSubmit the .REQ file generated to your CA (either internal or public). The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. Be sure that your CA generates certificates using your generated request that meet the Azure Stack PKI Requirements.