验证 Azure Stack Hub PKI 证书Validate Azure Stack Hub PKI certificates

从 PowerShell 库获取本文所述的 Azure Stack Hub 就绪性检查器工具。The Azure Stack Hub Readiness Checker tool described in this article is available from the PowerShell Gallery. 使用该工具可以验证生成的公钥基础结构 (PKI) 证书是否适用于前期部署。Use the tool to validate that generated public key infrastructure (PKI) certificates are suitable for pre-deployment. 请留出足够的时间来验证证书,以测试证书并在必要时重新颁发证书。Validate certificates by leaving enough time to test and reissue certificates if necessary.

就绪性检查器工具执行以下证书验证:The Readiness Checker tool performs the following certificate validations:

  • 分析 PFXParse PFX
    检查 PFX 文件是否有效且密码正确,以及公开的信息是否受密码保护。Checks for valid PFX file, correct password, and whether the public information is protected by the password.
  • 到期日期Expiry Date
    检查最短有效期是否为 7 天。Checks for minimum validity of seven days.
  • 签名算法Signature algorithm
    检查签名算法是否不是 SHA1。Checks that the signature algorithm isn't SHA1.
  • 私钥Private Key
    检查私钥是否存在,并且已连同“本地计算机”属性一起导出。Checks that the private key is present and is exported with the local machine attribute.
  • 证书链Cert chain
    检查证书链是否完整,包括自签名证书。Checks certificate chain is intact including a check for self-signed certificates.
  • DNS 名称DNS names
    检查 SAN 是否包含每个终结点的相关 DNS 名称,或支持性的通配符是否存在。Checks the SAN contains relevant DNS names for each endpoint or if a supporting wildcard is present.
  • 密钥用法Key usage
    检查密钥用法是否包含数字签名和密钥加密,并检查增强型密钥用法是否包含服务器身份验证和客户端身份验证。Checks if the key usage contains a digital signature and key encipherment and checks if enhanced key usage contains server authentication and client authentication.
  • 密钥大小Key size
    检查密钥大小是否为 2048 或更大。Checks if the key size is 2048 or larger.
  • 链序Chain order
    检查其他证书的顺序,验证顺序是否正确。Checks the order of the other certificates validating that the order is correct.
  • 其他证书Other certificates
    确保除了相关叶证书及其链以外,PFX 中未打包其他证书。Ensure no other certificates have been packaged in PFX other than the relevant leaf certificate and its chain.

重要

PKI 证书是一个 PFX 文件,其密码应被视为敏感信息。The PKI certificate is a PFX file and password should be treated as sensitive information.

先决条件Prerequisites

在验证用于 Azure Stack Hub 部署的 PKI 证书之前,系统应符合以下先决条件:Your system should meet the following prerequisites before validating PKI certificates for an Azure Stack Hub deployment:

  • Microsoft Azure Stack 中心就绪检查程序。Microsoft Azure Stack Hub Readiness Checker.
  • 按照准备说明导出的 SSL 证书。SSL Certificate(s) exported following the preparation instructions.
  • DeploymentData.json。DeploymentData.json.
  • Windows 10 或 Windows Server 2016。Windows 10 or Windows Server 2016.

执行核心服务证书验证Perform core services certificate validation

使用以下步骤来验证用于部署和机密轮换的 Azure Stack Hub PKI 证书:Use these steps to validate the Azure Stack Hub PKI certificates for deployment and secret rotation:

  1. 在 PowerShell 提示符(5.1 或更高版本)下,运行以下 cmdlet 安装 AzsReadinessCheckerInstall AzsReadinessChecker from a PowerShell prompt (5.1 or above) by running the following cmdlet:

        Install-Module Microsoft.AzureStack.ReadinessChecker -Force -AllowPrerelease
    
  2. 创建证书目录结构。Create the certificate directory structure. 在以下示例中,可将 <C:\Certificates\Deployment> 更改为所选的新目录路径。In the example below, you can change <C:\Certificates\Deployment> to a new directory path of your choice.

    New-Item C:\Certificates\Deployment -ItemType Directory
    
    $directories = 'ACSBlob', 'ACSQueue', 'ACSTable', 'Admin Extension Host', 'Admin Portal', 'ARM Admin', 'ARM Public', 'KeyVault', 'KeyVaultInternal', 'Public Extension Host', 'Public Portal'
    
    $destination = 'C:\Certificates\Deployment'
    
    $directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force}
    

    备注

    如果使用 AD FS 作为标识系统,则需要 AD FS 和 Graph。AD FS and Graph are required if you're using AD FS as your identity system. 例如:For example:

    $directories = 'ACSBlob', 'ACSQueue', 'ACSTable', 'ADFS', 'Admin Extension Host', 'Admin Portal', 'ARM Admin', 'ARM Public', 'Graph', 'KeyVault', 'KeyVaultInternal', 'Public Extension Host', 'Public Portal'
    
    • 将证书放入上一步骤中创建的相应目录。Place your certificate(s) in the appropriate directories created in the previous step. 例如:For example:
      • C:\Certificates\Deployment\ACSBlob\CustomerCertificate.pfx
      • C:\Certificates\Deployment\Admin Portal\CustomerCertificate.pfx
      • C:\Certificates\Deployment\ARM Admin\CustomerCertificate.pfx
  3. 在 PowerShell 窗口中,更改 RegionNameFQDNIdentitySystem 的值使其适合 Azure Stack Hub 环境,然后运行以下 cmdlet:In the PowerShell window, change the values of RegionName, FQDN and IdentitySystem appropriate to the Azure Stack Hub environment and run the following cmdlet:

    $pfxPassword = Read-Host -Prompt "Enter PFX Password" -AsSecureString 
    Invoke-AzsHubDeploymentCertificateValidation -CertificatePath C:\Certificates\Deployment -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com -IdentitySystem AAD  
    
  4. 检查输出,确保所有证书通过所有测试。Check the output and ensure that all certificates pass all tests. 例如:For example:

    Invoke-AzsHubDeploymentCertificateValidation v1.2005.1286.272 started.
    Testing: KeyVaultInternal\KeyVaultInternal.pfx
    Thumbprint: E86699****************************4617D6
        PFX Encryption: OK
        Expiry Date: OK
        Signature Algorithm: OK
        DNS Names: OK
        Key Usage: OK
        Key Length: OK
        Parse PFX: OK
        Private Key: OK
        Cert Chain: OK
        Chain Order: OK
        Other Certificates: OK
    Testing: ARM Public\ARMPublic.pfx
    Thumbprint: 8DC4D9****************************69DBAA
        PFX Encryption: OK
        Expiry Date: OK
        Signature Algorithm: OK
        DNS Names: OK
        Key Usage: OK
        Key Length: OK
        Parse PFX: OK
        Private Key: OK
        Cert Chain: OK
        Chain Order: OK
        Other Certificates: OK
    Testing: Admin Portal\AdminPortal.pfx
    Thumbprint: 6F9055****************************4AC0EA
        PFX Encryption: OK
        Expiry Date: OK
        Signature Algorithm: OK
        DNS Names: OK
        Key Usage: OK
        Key Length: OK
        Parse PFX: OK
        Private Key: OK
        Cert Chain: OK
        Chain Order: OK
        Other Certificates: OK
    Testing: Public Portal\PublicPortal.pfx
    
    
    Log location (contains PII): C:\Users\[*redacted*]\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Report location (contains PII): C:\Users\[*redacted*]\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    Invoke-AzsHubDeploymentCertificateValidation Completed
    
    

    若要验证其他 Azure Stack Hub 服务的证书,请更改 -CertificateType 的值。To validate certificates for other Azure Stack Hub services, change the value for -CertificateType. 例如:For example:

    # App Services
    Invoke-AzsHubAppServicesCertificateValidation -CertificatePath C:\Certificates\AppServices -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com
    
    # DBAdapter
    Invoke-AzsHubDBAdapterCertificateValidation -CertificatePath C:\Certificates\DBAdapter -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com
    
    # EventHubs
    Invoke-AzsHubEventHubsCertificateValidation -CertificatePath C:\Certificates\EventHubs -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com
    
    # IoTHub
    Invoke-AzsHubIoTHubCertificateValidation -CertificatePath C:\Certificates\IoTHub -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com
    

    每个文件夹应包含一个与证书类型对应的 PFX 文件。Each folder should contain a single PFX file for the certificate type. 如果某个证书类型具有多证书要求,则预期每个证书都有一个嵌套的文件夹,这些文件夹的名称区分大小写。If a certificate type has multi-certificate requirements, nested folders for each individual certificate are expected and name-sensitive. 以下代码显示了所有证书类型的示例文件夹/证书结构,以及 -CertificateType-CertificatePath 的相应值。The following code shows an example folder/certificate structure for all certificate types, and the appropriate value for -CertificateType and -CertificatePath.

    C:\>tree c:\SecretStore /A /F
        Folder PATH listing
        Volume serial number is 85AE-DF2E
        C:\SECRETSTORE
        \---AzureStack
            +---CertificateRequests
            \---Certificates
                +---AppServices         # Invoke-AzsCertificateValidation `
                |   +---API             #     -CertificateType AppServices `
                |   |       api.pfx     #     -CertificatePath C:\Certificates\AppServices
                |   |
                |   +---DefaultDomain
                |   |       wappsvc.pfx
                |   |
                |   +---Identity
                |   |       sso.pfx
                |   |
                |   \---Publishing
                |           ftp.pfx
                |
                +---DBAdapter           # Invoke-AzsCertificateValidation `
                |       dbadapter.pfx   #   -CertificateType DBAdapter `
                |                       #   -CertificatePath C:\Certificates\DBAdapter
                |
                +---Deployment          # Invoke-AzsCertificateValidation `
                |   +---ACSBlob         #   -CertificateType Deployment `
                |   |       acsblob.pfx #   -CertificatePath C:\Certificates\Deployment
                |   |
                |   +---ACSQueue
                |   |       acsqueue.pfx
               ./. ./. ./. ./. ./. ./. ./.    <- Deployment certificate tree trimmed.
                |   \---Public Portal
                |           portal.pfx
                |
                +---EventHubs           # Invoke-AzsCertificateValidation `
                |       eventhubs.pfx   #   -CertificateType EventHubs `
                |                       #   -CertificatePath C:\Certificates\EventHubs
                |
                \---IoTHub              # Invoke-AzsCertificateValidation `
                        iothub.pfx      #   -CertificateType IoTHub `
                                        #   -CertificatePath C:\Certificates\IoTHub
    

已知问题Known issues

症状:跳过了测试Symptom: Tests are skipped

原因: 如果不符合依赖关系,AzsReadinessChecker 会跳过某些测试:Cause: AzsReadinessChecker skips certain tests if a dependency isn't met:

  • 如果证书链出错,则会跳过其他证书。Other certificates are skipped if certificate chain fails.

    Testing: ACSBlob\singlewildcard.pfx
        Read PFX: OK
        Signature Algorithm: OK
        Private Key: OK
        Cert Chain: OK
        DNS Names: Fail
        Key Usage: OK
        Key Size: OK
        Chain Order: OK
        Other Certificates: Skipped
    Details:
    The certificate records '*.east.azurestack.contoso.com' do not contain a record that is valid for '*.blob.east.azurestack.contoso.com'. Please refer to the documentation for how to create the required certificate file.
    The Other Certificates check was skipped because Cert Chain and/or DNS Names failed. Follow the guidance to remediate those issues and recheck. 
    
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    Invoke-AzsCertificateValidation Completed
    

解决方法:遵循针对每个证书的每组测试下的详细信息部分中的工具指导。Resolution: Follow the tool's guidance in the details section under each set of tests for each certificate.

症状:尽管将 http CDP 写入 x509 扩展,Http CRL 检查失败。Symptom: HTTP CRL Checking fails despite having an HTTP CDP written to x509 extensions.

原因:目前,AzsReadinessChecker 无法检查某些语言的 HTTP CDP。Cause: Currently, AzsReadinessChecker can't check for HTTP CDP in some languages.

解决方法:运行验证并将 OS 语言设置为 en-us。Resolution: Run validation with OS language set to EN-US.

证书Certificates

DirectoryDirectory 证书Certificate
ACSBlobACSBlob wildcard_blob_<region>_<externalFQDN>
ACSQueueACSQueue wildcard_queue_<region>_<externalFQDN>
ACSTableACSTable wildcard_table_<region>_<externalFQDN>
管理扩展主机Admin Extension Host wildcard_adminhosting_<region>_<externalFQDN>
管理门户Admin Portal adminportal_<region>_<externalFQDN>
ARM AdminARM Admin adminmanagement_<region>_<externalFQDN>
ARM PublicARM Public management_<region>_<externalFQDN>
KeyVaultKeyVault wildcard_vault_<region>_<externalFQDN>
KeyVaultInternalKeyVaultInternal wildcard_adminvault_<region>_<externalFQDN>
公共扩展主机Public Extension Host wildcard_hosting_<region>_<externalFQDN>
公共门户Public Portal portal_<region>_<externalFQDN>

使用已验证的证书Using validated certificates

AzsReadinessChecker 验证证书后,便可在 Azure Stack Hub 部署中使用这些证书,或者将其用于 Azure Stack Hub 机密轮换。Once your certificates are validated by the AzsReadinessChecker, you're ready to use them in your Azure Stack Hub deployment or for Azure Stack Hub secret rotation.

后续步骤Next steps

数据中心标识集成Datacenter identity integration