Tutorial: Configure certificates for your Azure Stack Edge Pro with GPU

This tutorial describes how you can configure certificates for your Azure Stack Edge Pro device with an onboard GPU by using the local web UI.

The time taken for this step can vary depending on the specific option you choose and how the certificate flow is established in your environment.

In this tutorial, you learn about:

  • Prerequisites
  • Configure certificates for the physical device

Prerequisites

Before you configure and set up your Azure Stack Edge Pro device with GPU, make sure that:

  • You've installed the physical device as detailed in Install Azure Stack Edge Pro GPU.
  • If you plan to bring your own certificates:
    • You should have your certificates ready in the appropriate format including the signing chain certificate. For details on certificate, go to Manage certificates

    • If your device is deployed in Azure Government and not deployed in Azure public cloud, a signing chain certificate is required before you can activate your device. For details on certificate, go to Manage certificates.

Configure certificates for device

  1. In the Certificates page, you will configure your certificates. Depending on whether you changed the device name or the DNS domain in the Device page, you can choose one of the following options for your certificates.

    • If you have not changed the device name or the DNS domain in the earlier step and do not wish to bring your own certificates, then you can skip this step and proceed to the next step. The device has automatically generated self-signed certificates to begin with.

      Local web UI "Certificates" page

    • If you changed the device name or DNS domain, you will see that the status of certificates will show as Not valid.

      Local web UI "Certificates" page 2

      Select a certificate to view the details of the status.

      Local web UI "Certificates" page 3

      This is because the certificates do not reflect the updated device name and DNS domain (that are used in subject name and subject alternative). To successfully activate your device, choose one of the following options:

      • Generate all the device certificates. These device certificates should only be used for testing and not used with production workloads. For more information, go to Generate device certificates on your Azure Stack Edge Pro GPU.

      • Bring your own certificates. You can bring your own signed endpoint certificates and the corresponding signing chains. You first add the signing chain and then upload the endpoint certificates. We recommend that you always bring your own certificates for production workloads. For more information, go to Bring your own certificates on your Azure Stack Edge Pro GPU device.

      • You can bring some of your own certificates and generate some device certificates. The Generate certificates option will only regenerate the device certificates.

    • If you changed the device name or DNS domain, and you do not generate certificates or bring your own certificates, then the activation will be blocked.

Generate device certificates

Follow these steps to generate device certificates.

Use these steps to regenerate and download the Azure Stack Edge Pro GPU device certificates:

  1. In the local UI of your device, go to Configuration > Certificates. Select Generate certificates.

    Generate and download certificate 1

  2. In the Generate device certificates, select Generate.

    Generate and download certificate 2

    The device certificates are now generated and applied. It takes a few minutes to generate and apply the certificates.

    Important

    While the certificate generation operation is in progress, do not bring your own certificates and try to add those via the + Add certificate option.

    You are notified when the operation is successfully completed. To avoid any potential cache issues, restart your browser.

    Generate and download certificate 4

  3. After the certificates are generated:

    • The status of all the certificates shows as Valid.

      Generate and download certificate 5

    • You can select a specific certificate name, and view the certificate details.

      Generate and download certificate 6

    • The Download column is now populated. This column has links to download the regenerated certificates.

      Generate and download certificate 7

  4. Select the download link for a certificate and when prompted, save the certificate.

    Generate and download certificate 8

  5. Repeat this process for all the certificates that you wish to download.

    Generate and download certificate 9

    The device generated certificates are saved as DER certificates with the following name format:

    <Device name>_<Endpoint name>.cer. These certificates contain the public key for the corresponding certificates installed on the device.

You will need to install these certificates on the client system that you are using to access the endpoints on the Azure Stack Edge device. These certificates establish trust between the client and the device.

To import and install these certificates on the client that you are using to access the device, follow the steps in Import certificates on the clients accessing your Azure Stack Edge Pro GPU device.

If using Azure Storage Explorer, you will need to install certificates on your client in PEM format and you will need to convert the device generated certificates into PEM format.

Important

  • The download link is only available for the device generated certificates and not if you bring your own certificates.
  • You can decide to have a mix of device generated certificates and bring your own certificates as long as other certificate requirements are met. For more information, go to Certificate requirements.

Bring your own certificates

You can bring your own certificates.

Follow these steps to upload your own certificates including the signing chain.

  1. To upload certificate, on the Certificate page, select + Add certificate.

    Local web UI "Certificates" page 4

  2. Upload the signing chain first and select Validate & add.

    Local web UI "Certificates" page 5

  3. Now you can upload other certificates. For example, you can upload the Azure Resource Manager and Blob storage endpoint certificates.

    Local web UI "Certificates" page 6

    You can also upload the local web UI certificate. After you upload this certificate, you will be required to start your browser and clear the cache. You will then need to connect to the device local web UI.

    Local web UI "Certificates" page 7

    You can also upload the node certificate.

    Local web UI "Certificates" page 8

    At any time, you can select a certificate and view the details to ensure that these match with the certificate that you uploaded.

    Local web UI "Certificates" page 9

    The certificate page should update to reflect the newly added certificates.

    Local web UI "Certificates" page 10

    Note

    Except for Azure public cloud, signing chain certificates are needed to be brought in before activation for all cloud configurations (Azure Government or Azure Stack).

Your device is now ready to be activated. Select < Back to Get started.

Next steps

In this tutorial, you learn about:

  • Prerequisites
  • Configure certificates for the physical device

To learn how to activate your Azure Stack Edge Pro GPU device, see: