Recommend certificate strategy
Certificate requirements are grouped by area and the namespaces used and the certificates that are required for each namespace. The table in this unit describes the Azure Stack Hub public endpoint PKI certificates that are required for both Microsoft Entra ID and AD FS Azure Stack Hub deployments. The folder in which your solution provider copies the different certificates per public endpoint.
Certificates with the appropriate DNS names for each Azure Stack Hub public infrastructure endpoint are required. Each endpoint's DNS name is expressed in the format: <prefix>.<region>.<fqdn>.
For your deployment, the [region] and [externalfqdn] values must match the region and external domain names that you chose for your Azure Stack Hub system. As an example, if the region name was Redmond and the external domain name was contoso.com, the DNS names would have the format <prefix>.redmond.contoso.com. The <prefix> values are predesignated by Microsoft to describe the endpoint secured by the certificate. In addition, the <prefix> values of the external infrastructure endpoints depend on the Azure Stack Hub service that uses the specific endpoint.
For the production environments, we recommend individual certificates are generated for each endpoint and copied into the corresponding directory. For development environments, certificates can be provided as a single wildcard certificate-covering namespaces in the Subject and Subject Alternative Name (SAN) fields copied into all directories. A single certificate covering all endpoints and services is an insecure posture and hence development-only. Remember, both options require you to use wildcard certificates for endpoints like acs and Key Vault where they're required.
Deployment folder
Required certificate subject and subject alternative names (SAN)
Scope (per region)
Subdomain namespace
Public Portal
Portal.<region>.<fqdn>
Portals
<region>.<fqdn>
Admin Portal
adminportal.<region>.<fqdn>
Portals
<region>.<fqdn>
Azure Resource Manager Public
management.<region>.<fqdn>
Azure Resource Manager
<region>.<fqdn>
Azure Resource Manager Admin
adminmanagement.<region>.<fqdn>
Azure Resource Manager
<region>.<fqdn>
ACSBlob
*.blob.<region>.<fqdn> (Wildcard secure socket layer (SSL) Certificate)
Blob Storage
blob.<region>.<fqdn>
ACSTable
*.table.<region>.<fqdn> (Wildcard secure socket layer (SSL) Certificate)
Table Storage
table.<region>.<fqdn>
ACSQueue
*.queue.<region>.<fqdn> (Wildcard secure socket layer (SSL) Certificate)
Queue Storage
queue.<region>.<fqdn>
KeyVault
*.vault.<region>.<fqdn> (Wildcard secure socket layer (SSL) Certificate)
Key Vault
vault.<region>.<fqdn>
KeyVaultInternal
*.adminvault.<region>.<fqdn> (Wildcard secure socket layer (SSL) Certificate)
Internal Keyvault
adminvault.<region>.<fqdn>
Admin Extension Host
*.adminhosting.<region>.<fqdn> (Wildcard secure socket layer (SSL) Certificates)
Admin Extension Host
adminhosting.<region>.<fqdn>
Public Extension Host
*.hosting.<region>.<fqdn> (Wildcard secure socket layer (SSL) Certificates)
Public Extension Host
Hosting.<region>.<fqdn>