您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:在 Azure CDN 自定义域中配置 HTTPSTutorial: Configure HTTPS on an Azure CDN custom domain

本教程演示如何为与 Azure CDN 终结点关联的自定义域启用 HTTPS 协议。This tutorial shows how to enable the HTTPS protocol for a custom domain that's associated with an Azure CDN endpoint. 通过在自定义域(例如 https://www.contoso.com)上使用 HTTPS 协议,可以确保敏感数据在通过 Internet 发送时可以通过 TLS/SSL 加密安全地进行分发。By using the HTTPS protocol on your custom domain (for example, https://www.contoso.com), you ensure that your sensitive data is delivered securely via TLS/SSL encryption when it is sent across the internet. Web 浏览器通过 HTTPS 连接到网站时,它会验证网站的安全证书并验证该证书是否是由合法的证书颁发机构颁发的。When your web browser is connected to a web site via HTTPS, it validates the web site’s security certificate and verifies it’s issued by a legitimate certificate authority. 此过程提供安全性并保护 Web 应用程序免受攻击。This process provides security and protects your web applications from attacks.

默认情况下,Azure CDN 支持对 CDN 终结点主机名使用 HTTPS。Azure CDN supports HTTPS on a CDN endpoint hostname, by default. 例如,如果创建 CDN 终结点(例如 https://contoso.azureedge.net),则会自动启用 HTTPS。For example, if you create a CDN endpoint (such as https://contoso.azureedge.net), HTTPS is automatically enabled.

自定义 HTTPS 功能的一些关键属性包括:Some of the key attributes of the custom HTTPS feature are:

  • 无需额外付费:证书获取或续订不收取费用,对于 HTTPS 流量不另外收费。No additional cost: There are no costs for certificate acquisition or renewal and no additional cost for HTTPS traffic. 只需为从 CDN 出口的 GB 数付费。You pay only for GB egress from the CDN.

  • 简单启用:可从 Azure 门户进行一键式预配。Simple enablement: One-click provisioning is available from the Azure portal. 还可以使用 REST API 或其他开发人员工具启用该功能。You can also use REST API or other developer tools to enable the feature.

  • 提供完整的证书管理:为你处理所有证书获取和管理。Complete certificate management is available: All certificate procurement and management is handled for you. 证书在过期之前将自动进行设置并续订,这可消除由于证书过期而导致服务中断的风险。Certificates are automatically provisioned and renewed prior to expiration, which removes the risks of service interruption due to a certificate expiring.

本教程介绍如何执行以下操作:In this tutorial, you learn how to:

  • 在自定义域上启用 HTTPS 协议。Enable the HTTPS protocol on your custom domain.
  • 使用 CDN 托管的证书Use a CDN-managed certificate
  • 使用自己的证书Use your own certificate
  • 验证域Validate the domain
  • 在自定义域上禁用 HTTPS 协议。Disable the HTTPS protocol on your custom domain.

先决条件Prerequisites

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在完成本教程中的步骤之前,必须先创建一个 CDN 配置文件,一个至少一个 CDN 终结点。Before you can complete the steps in this tutorial, you must first create a CDN profile and at least one CDN endpoint. 有关详细信息,请参阅快速入门:创建 Azure CDN 配置文件和终结点For more information, see Quickstart: Create an Azure CDN profile and endpoint.

此外,还必须在 CDN 终结点上关联一个 Azure CDN 自定义域。In addition, you must associate an Azure CDN custom domain on your CDN endpoint. 有关详细信息,请参阅教程:将自定义域添加到 Azure CDN 终结点For more information, see Tutorial: Add a custom domain to your Azure CDN endpoint


SSL 证书数SSL certificates

若要启用 HTTPS 协议以在 Azure CDN 自定义域上安全传送内容,必须使用 SSL 证书。To enable the HTTPS protocol for securely delivering content on an Azure CDN custom domain, you must use an SSL certificate. 可以选择是使用由 Azure CDN 托管的证书还是使用自己的证书。You can choose to use a certificate that is managed by Azure CDN or use your own certificate.

使用 CDN 托管的证书时,只需单击几下即可启用 HTTPS 功能。When you use a CDN-managed certificate, the HTTPS feature can be turned on with just a few clicks. Azure CDN 可处理所有证书管理任务,如获取和续订。Azure CDN completely handles certificate management tasks such as procurement and renewal. 启用此功能后,进程将立即启动。After you enable the feature, the process starts immediately. 如果自定义域已映射到 CDN 终结点,则不需要进一步操作。If the custom domain is already mapped to the CDN endpoint, no further action is required. Azure CDN 将自动执行步骤并完成请求。Azure CDN will process the steps and complete your request automatically. 但是,如果自定义域映射到其他位置,则必须使用电子邮件来验证域所有权。However, if your custom domain is mapped elsewhere, you must use email to validate your domain ownership.

若要在自定义域上启用 HTTPS,请执行以下步骤:To enable HTTPS on a custom domain, follow these steps:

  1. Azure 门户中,浏览到“Microsoft 的 Azure CDN 标准版”、“Akamai 的 Azure CDN 标准版”、“Verizon 的 Azure CDN 标准版”或“Verizon 的 Azure CDN 高级版”配置文件。In the Azure portal, browse to your Azure CDN Standard from Microsoft, Azure CDN Standard from Akamai, Azure CDN Standard from Verizon or Azure CDN Premium from Verizon profile.

  2. 在 CDN 终结点列表中,选择包含自定义域的终结点。In the list of CDN endpoints, select the endpoint containing your custom domain.

    终结点列表

    此时会显示“终结点”页。The Endpoint page appears.

  3. 在自定义域列表中,选择要为其启用 HTTPS 的自定义域。In the list of custom domains, select the custom domain for which you want to enable HTTPS.

    自定义域列表

    此时将显示“自定义域”页。The Custom domain page appears.

  4. 在证书管理类型下,选择“CDN 托管”。Under Certificate management type, select CDN managed.

  5. 选择“打开”,启用 HTTPS。Select On to enable HTTPS.

    自定义域 HTTPS 状态

  6. 继续验证域Proceed to Validate the domain.

验证域Validate the domain

如果已使用一个自定义域且该自定义域通过 CNAME 记录映射到自定义终结点,或使用的是自己的证书,请转至If you already have a custom domain in use that is mapped to your custom endpoint with a CNAME record or you're using your own certificate, proceed to
自定义域已映射到 CDN 终结点Custom domain is mapped to your CDN endpoint. 否则,如果终结点的 CNAME 记录条目不再存在或者它包含 cdnverify 子域,请转至自定义域未映射到 CDN 终结点Otherwise, if the CNAME record entry for your endpoint no longer exists or it contains the cdnverify subdomain, proceed to Custom domain is not mapped to your CDN endpoint.

自定义域已通过 CNAME 记录映射到 CDN 终结点Custom domain is mapped to your CDN endpoint by a CNAME record

将自定义域添加到终结点时,会在域注册机构的 DNS 表中创建一条 CNAME 记录,以将其映射到 CDN 终结点主机名。When you added a custom domain to your endpoint, you created a CNAME record in the DNS table of your domain registrar to map it to your CDN endpoint hostname. 如果该 CNAME 记录仍然存在,并且不包含 cdnverify 子域,则 DigiCert CA 将使用它来自动验证自定义域的所有权。If that CNAME record still exists and does not contain the cdnverify subdomain, the DigiCert CA uses it to automatically validate ownership of your custom domain.

如果使用的是自己的证书,则不需要对域进行验证。If you're using your own certificate, domain validation is not required.

CNAME 记录应采用以下格式,其中 Name 是自定义域名,Value 是 CDN 终结点主机名:Your CNAME record should be in the following format, where Name is your custom domain name and Value is your CDN endpoint hostname:

名称Name 类型Type Value
<www.contoso.com><www.contoso.com> CNAMECNAME contoso.azureedge.netcontoso.azureedge.net

有关 CNAME 记录的详细信息,请参阅创建 CNAME DNS 记录For more information about CNAME records, see Create the CNAME DNS record.

如果 CNAME 记录采用正确的格式,DigiCert 会自动验证自定义域名,并为域名创建专用的证书。If your CNAME record is in the correct format, DigiCert automatically verifies your custom domain name and creates a dedicated certificate for your domain name. DigitCert 不会向你发送验证电子邮件,并且你无需批准请求。DigitCert won't send you a verification email and you won't need to approve your request. 该证书会在一年内有效,并会在过期前自动续订。The certificate is valid for one year and will be auto-renewed before it expires. 转至等待传播Proceed to Wait for propagation.

自动验证通常要花费几分钟时间。Automatic validation typically takes a few mins. 如果在一小时内未看到域完成验证,请创建一个支持票证。If you don’t see your domain validated within an hour, open a support ticket.

备注

如果通过 DNS 提供商获得证书颁发机构授权 (CAA) 记录,则必须包含 DigiCert 作为一个有效的 CA。If you have a Certificate Authority Authorization (CAA) record with your DNS provider, it must include DigiCert as a valid CA. CAA 记录允许域名所有者通过自己的 DNS 提供商指定哪些 CA 有权为其域名颁发证书。A CAA record allows domain owners to specify with their DNS providers which CAs are authorized to issue certificates for their domain. 如果某个 CA 收到具有 CAA 记录的域证书订单,但该 CA 未被列为授权的颁发者,则禁止向该域或子域颁发证书。If a CA receives an order for a certificate for a domain that has a CAA record and that CA is not listed as an authorized issuer, it is prohibited from issuing the certificate to that domain or subdomain. 有关管理 CAA 记录的信息,请参阅管理 CAA 记录For information about managing CAA records, see Manage CAA records. 有关 CAA 记录工具,请参阅 CAA 记录帮助器For a CAA record tool, see CAA Record Helper.

自定义域未映射到 CDN 终结点Custom domain is not mapped to your CDN endpoint

如果终结点的 CNAME 记录条目不再存在,或者它包含 cdnverify 子域,请按照此步骤中的其余说明进行操作。If the CNAME record entry for your endpoint no longer exists or it contains the cdnverify subdomain, follow the rest of the instructions in this step.

备注

如果使用 Akamai 的 Azure CDN 配置文件,则目前不能对自定义域所有权进行电子邮件验证。Email validation of custom domain ownership is currently unavailable for Azure CDN from Akamai profiles. 此功能目前尚未完成。This feature is currently in our backlog.

在自定义域上提交启用 HTTPS 的请求后,DigiCert CA 会根据域的 WHOIS 注册者信息,通过联系域的注册者来验证域的所有权。After you submit a request to enable HTTPS on your custom domain, the DigiCert CA validates ownership of your domain by contacting its registrant, according to the domain's WHOIS registrant information. 通过 WHOIS 注册中列出的电子邮件地址(默认)或电话号码进行联系。Contact is made via the email address (by default) or the phone number listed in the WHOIS registration. 必须先完成域验证,才能在自定义域上激活 HTTPS。You must complete domain validation before HTTPS will be active on your custom domain. 可在 6 个工作日内批准域。You have six business days to approve the domain. 自动取消 6 个工作日内未批准的请求。Requests that are not approved within six business days are automatically canceled.

WHOIS 记录

DigiCert 还会将验证电子邮件发送到其他电子邮件地址。DigiCert also sends a verification email to additional email addresses. 如果 WHOIS 注册信息属于隐私,请验证是否可直接从以下任一地址进行审批:If the WHOIS registrant information is private, verify that you can approve directly from one of the following addresses:

admin@<your-domain-name.com>admin@<your-domain-name.com>
administrator@<your-domain-name.com>administrator@<your-domain-name.com>
webmaster@<your-domain-name.com>webmaster@<your-domain-name.com>
hostmaster@<your-domain-name.com>hostmaster@<your-domain-name.com>
postmaster@<your-domain-name.com>postmaster@<your-domain-name.com>

应会在几分钟内收到如以下所示的电子邮件,要求你批准请求。You should receive an email in a few minutes, similar to the following example, asking you to approve the request. 如果使用垃圾邮件筛选,请将 admin@digicert.com 添加到允许列表。If you are using a spam filter, add admin@digicert.com to its whitelist. 如果未在 24 小时内收到电子邮件,请与 Microsoft 支持部门联系。If you don't receive an email within 24 hours, contact Microsoft support.

域验证电子邮件

单击批准链接时,会定向到以下在线批准表:When you click on the approval link, you are directed to the following online approval form:

域验证表单

按表中的说明操作;有两种验证选项:Follow the instructions on the form; you have two verification options:

  • 可批准通过同一根域(例如 consoto.com)的同一帐户下的所有将来订单。You can approve all future orders placed through the same account for the same root domain; for example, contoso.com. 如果你打算为同一根域添加其他自定义域,建议使用此方法。This approach is recommended if you plan to add additional custom domains for the same root domain.

  • 可以只批准该请求中使用的特定主机名。You can approve just the specific host name used in this request. 后续请求将需要其他批准。Additional approval is required for subsequent requests.

批准后,DigiCert 会针对自定义域名完成证书创建。After approval, DigiCert completes the certificate creation for your custom domain name. 该证书会在一年内有效,并会在过期前自动续订。The certificate is valid for one year and will be auto-renewed before it's expired.

等待传播Wait for propagation

验证域名后,将需要长达 6-8 小时才能使自定义域 HTTPS 功能激活。After the domain name is validated, it can take up to 6-8 hours for the custom domain HTTPS feature to be activated. 此过程完成后,Azure 门户中的自定义 HTTPS 状态会设置为“已启用”,且自定义域对话框中的四个操作步骤会标记为完成。When the process is complete, the custom HTTPS status in the Azure portal is set to Enabled and the four operation steps in the custom domain dialog are marked as complete. 自定义域现可使用 HTTPS。Your custom domain is now ready to use HTTPS.

启用 HTTPS 对话框

操作进度Operation progress

下表显示启用 HTTPS 时出现的操作进度。The following table shows the operation progress that occurs when you enable HTTPS. 启用 HTTPS 后,自定义域对话框中将出现四个操作步骤。After you enable HTTPS, four operation steps appear in the custom domain dialog. 每个步骤变为活动状态时,其下将随之显示更多子步骤详细信息。As each step becomes active, additional substep details appear under the step as it progresses. 并非所有这些子步骤都会执行。Not all of these substeps will occur. 步骤成功完成后,它旁边会显示一个绿色的复选标记。After a step successfully completes, a green check mark appears next to it.

操作步骤Operation step 操作子步骤详细信息Operation substep details
1 提交请求1 Submitting request 提交请求Submitting request
正在提交 HTTPS 请求。Your HTTPS request is being submitted.
已成功提交 HTTPS 请求。Your HTTPS request has been submitted successfully.
2 域验证2 Domain validation 如果域是映射到 CDN 终结点的 CNAME,则会自动验证域。Domain is automatically validated if it is CNAME mapped to the CDN Endpoint. 否则,将会向域的注册记录中列出的电子邮件(WHOIS 注册者)发送一个验证请求。Otherwise, a verification request will be sent to the email listed in your domain’s registration record (WHOIS registrant). 请尽快验证域。Please verify the domain as soon as possible.
已成功验证域所有权。Your domain ownership has been successfully validated.
域所有权验证请求已过期(很可能是客户在 6 天内未响应)。Domain ownership validation request expired (customer likely didn't respond within 6 days). 将不会在域中启用 HTTPS。HTTPS will not be enabled on your domain. *
客户已拒绝域所有权验证请求。Domain ownership validation request was rejected by the customer. 将不会在域中启用 HTTPS。HTTPS will not be enabled on your domain. *
3 证书预配3 Certificate provisioning 证书颁发机构当前正在颁发在你的域中启用 HTTPS 所需的证书。The certificate authority is currently issuing the certificate needed to enable HTTPS on your domain.
证书已颁发,当前正将证书部署到 CDN 网络。The certificate has been issued and is currently being deployed to CDN network. 最多可能需要 6 小时才能完成此操作。This could take up to 6 hours.
已成功将证书部署到 CDN 网络。The certificate has been successfully deployed to CDN network.
4 完成4 Complete 已成功在域中启用 HTTPS。HTTPS has been successfully enabled on your domain.

* 除非出现错误,否则不会显示此消息。* This message doesn't appear unless an error has occurred.

如果提交请求之前出现错误,则会显示以下错误消息:If an error occurs before the request is submitted, the following error message is displayed:

We encountered an unexpected error while processing your HTTPS request. Please try again and contact support if the issue persists.

清理资源 - 禁用 HTTPSClean up resources - disable HTTPS

在前面的步骤中,你在自定义域上启用了 HTTPS 协议。In the preceding steps, you enabled the HTTPS protocol on your custom domain. 如果不再希望为自定义域使用 HTTPS,可以通过执行下列步骤来禁用 HTTPS:If you no longer want to use your custom domain with HTTPS, you can disable HTTPS by performing theses steps:

禁用 HTTPS 功能Disable the HTTPS feature

  1. Azure 门户中,浏览到“Microsoft 的 Azure CDN 标准版”、“Verizon 的 Azure CDN 标准版”或“Verizon 的 Azure CDN 高级版”配置文件。In the Azure portal, browse to your Azure CDN Standard from Microsoft, Azure CDN Standard from Verizon or Azure CDN Premium from Verizon profile.

  2. 在终结点的列表中,单击包含自定义域的终结点。In the list of endpoints, click the endpoint containing your custom domain.

  3. 单击要禁用 HTTPS 的自定义域。Click the custom domain for which you want to disable HTTPS.

    自定义域列表

  4. 单击“禁用”禁用 HTTPS,然后单击“应用”。Click Off to disable HTTPS, then click Apply.

    “自定义 HTTPS”对话框

等待传播Wait for propagation

禁用自定义域 HTTPS 功能后,最多可能需要 6-8 小时才会生效。After the custom domain HTTPS feature is disabled, it can take up to 6-8 hours for it to take effect. 此过程完成后,Azure 门户中的自定义 HTTPS 状态会设置为“已禁用”,且自定义域对话框中的三个操作步骤会标记为完成。When the process is complete, the custom HTTPS status in the Azure portal is set to Disabled and the three operation steps in the custom domain dialog are marked as complete. 自定义域不再能够使用 HTTPS。Your custom domain can no longer use HTTPS.

禁用 HTTPS 对话框

操作进度Operation progress

下表显示在禁用 HTTPS 时发生的操作进程。The following table shows the operation progress that occurs when you disable HTTPS. 禁用 HTTPS 后,自定义域对话框中将出现三个操作步骤。After you disable HTTPS, three operation steps appear in the Custom domain dialog. 每个步骤变为活动状态时,其他详细信息将显示在相应步骤下。As each step becomes active, additional details appear under the step. 步骤成功完成后,它旁边会显示一个绿色的复选标记。After a step successfully completes, a green check mark appears next to it.

操作进度Operation progress 操作详细信息Operation details
1 提交请求1 Submitting request 提交请求Submitting your request
2 证书取消预配2 Certificate deprovisioning 删除证书Deleting certificate
3 完成3 Complete 已删除证书Certificate deleted

常见问题Frequently asked questions

  1. 谁是证书提供者?使用哪种类型的证书?Who is the certificate provider and what type of certificate is used?

    对于 Verizon 的 Azure CDNMicrosoft 的 Azure CDN,Digicert 提供的专用/单个证书将用于自定义域。For both Azure CDN from Verizon and Azure CDN from Microsoft, a dedicated/single certificate provided by Digicert is used for your custom domain.

  2. 使用基于 IP 的 TLS/SSL 还是 SNI TLS/SSL?Do you use IP-based or SNI TLS/SSL?

    Verizon 的 Azure CDNMicrosoft 的 Azure CDN Standard 都使用 SNI TLS/SSL。Both Azure CDN from Verizon and Azure CDN Standard from Microsoft use SNI TLS/SSL.

  3. 如果我未收到 DigiCert 发来的域验证电子邮件,怎么办?What if I don't receive the domain verification email from DigiCert?

    如果自定义域的 CNAME 条目直接指向终结点主机名(并且你未使用 cdnverify 子域名称),则你不会收到域验证电子邮件。If you have a CNAME entry for your custom domain that points directly to your endpoint hostname (and you are not using the cdnverify subdomain name), you won't receive a domain verification email. 验证会自动进行。Validation occurs automatically. 否则,如果你没有 CNAME 条目,并且在 24 小时内未收到电子邮件,请联系 Microsoft 支持部门。Otherwise, if you don't have a CNAME entry and you haven't received an email within 24 hours, contact Microsoft support.

  4. 使用 SAN 证书是否没有使用专用证书安全?Is using a SAN certificate less secure than a dedicated certificate?

    SAN 证书遵循与专用证书相同的加密和安全标准。A SAN certificate follows the same encryption and security standards as a dedicated certificate. 所有颁发的 SSL 证书都使用 SHA-256 来增强服务器安全性。All issued SSL certificates use SHA-256 for enhanced server security.

  5. 我是否需要通过我的 DNS 提供商获得证书颁发机构授权记录?Do I need a Certificate Authority Authorization record with my DNS provider?

    否,当前不需要证书颁发机构授权记录。No, a Certificate Authority Authorization record is not currently required. 但是,如果你确实有一个,则必须包含 DigiCert 作为一个有效的 CA。However, if you do have one, it must include DigiCert as a valid CA.

  6. 从 2018 年 6 月 20 日开始,Verizon 的 Azure CDN 默认使用专用证书和 SNI TLS/SSL。使用“使用者可选名称”(SAN) 证书和基于 IP 的 TLS/SSL 的现有自定义域会发生什么情况?On June 20, 2018, Azure CDN from Verizon started using a dedicated certificate with SNI TLS/SSL by default. What happens to my existing custom domains using Subject Alternative Names (SAN) certificate and IP-based TLS/SSL?

    如果 Microsoft 经分析后发现,只是向应用程序发出了仅 SNI 客户端请求,则现有的域将在未来几个月逐渐迁移到单个证书。Your existing domains will be gradually migrated to single certificate in the upcoming months if Microsoft analyzes that only SNI client requests are made to your application. 如果 Microsoft 检测到向应用程序发出了一些非 SNI 客户端请求,则域将保留在 SAN 证书和基于 IP 的 TLS/SSL 中。If Microsoft detects there some non-SNI client requests made to your application, your domains will stay in the SAN certificate with IP-based TLS/SSL. 在任何情况下,对服务或客户端请求的支持都不会中断,不管这些请求是否为 SNI。In any case, there will be no interruption to your service or support to your client requests regardless of whether those requests are SNI or non-SNI.

后续步骤Next steps

本教程介绍了以下操作:In this tutorial, you learned how to:

  • 在自定义域上启用 HTTPS 协议。Enable the HTTPS protocol on your custom domain.
  • 使用 CDN 托管的证书Use a CDN-managed certificate
  • 使用自己的证书Use your own certificate
  • 验证域。Validate the domain.
  • 在自定义域上禁用 HTTPS 协议。Disable the HTTPS protocol on your custom domain.

继续学习下一教程,了解如何在 CDN 终结点上配置缓存。Advance to the next tutorial to learn how to configure caching on your CDN endpoint.