Azure Stack certificates signing request generation
You can use the Azure Stack Readiness Checker tool to create Certificate Signing Requests (CSRs) suitable for an Azure Stack deployment. Certificates should be requested, generated, and validated with enough time to test before deployment. You can get the tool from the PowerShell Gallery.
You can use the Azure Stack Readiness Checker tool (AzsReadinessChecker) to request the following certificates:
- Standard Certificate Requests according to Generate PKI Certificates for Azure Stack Deployment.
- Platform-as-a-Service: You can request platform-as-a-service (PaaS) names for certificates as specified in Azure Stack Public Key Infrastructure certificate requirements - Optional PaaS Certificates.
Prerequisites
Your system should meet the following prerequisites before generating the CSR(s) for PKI certificates for an Azure Stack deployment:
- Microsoft Azure Stack Readiness Checker
- Certificate attributes:
- Region name
- External fully qualified domain name (FQDN)
- Subject
Windows 10 or Windows Server 2016
Note
When you receive your certificates back from your certificate authority the steps in Prepare Azure Stack PKI certificates will need to be completed on the same system!
Generate certificate signing request(s)
Use these steps to prepare and validate the Azure Stack PKI certificates:
Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:
Install-Module Microsoft.AzureStack.ReadinessChecker
Declare the subject as an ordered dictionary. For example:
$subjectHash = [ordered]@{"OU"="AzureStack";"O"="Microsoft";"L"="Redmond";"ST"="Washington";"C"="US"}
Note
If a common name (CN) is supplied this will be overwritten by the first DNS name of the certificate request.
Declare an output directory that already exists. For example:
$outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"
Declare identity system
Azure Active Directory
$IdentitySystem = "AAD"
Active Directory Federation Services
$IdentitySystem = "ADFS"
Declare region name and an external FQDN intended for the Azure Stack deployment.
$regionName = 'east' $externalFQDN = 'azurestack.contoso.com'
Note
<regionName>.<externalFQDN>
forms the basis on which all external DNS names in Azure Stack are created, in this example, the portal would beportal.east.azurestack.contoso.com
.To generate certificate signing requests for each DNS name:
New-AzsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subjectHash -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem
To include PaaS Services, specify the switch
-IncludePaaS
Alternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):
New-AzsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subjectHash -RequestType SingleCSR -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem
To include PaaS Services, specify the switch
-IncludePaaS
Review the output:
New-AzsCertificateSigningRequest v1.1809.1005.1 started. CSR generating for following SAN(s): dns=*.east.azurestack.contoso.com&dns=*.blob.east.azurestack.contoso.com&dns=*.queue.east.azurestack.contoso.com&dns=*.table.east.azurestack.cont oso.com&dns=*.vault.east.azurestack.contoso.com&dns=*.adminvault.east.azurestack.contoso.com&dns=portal.east.azurestack.contoso.com&dns=adminportal.east.azurestack.contoso.com&dns=ma nagement.east.azurestack.contoso.com&dns=adminmanagement.east.azurestack.contoso.com*dn2=*.adminhosting.east.azurestack.contoso.com@dns=*.hosting.east.azurestack.contoso.com Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\username\Documents\AzureStackCSR\wildcard_east_azurestack_contoso_com_CertRequest_20180405233530.req Certreq.exe output: CertReq: Request Created Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log New-AzsCertificateSigningRequest Completed
Submit the .REQ file generated to your CA (either internal or public). The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. Be sure that your CA generates certificates using your generated request that meet the Azure Stack PKI Requirements.
Next steps
Feedback
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.
Loading feedback...