您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 云服务证书概述Certificates overview for Azure Cloud Services

证书在 Azure 中用于云服务(服务证书)以及用于通过管理 API 进行身份验证(管理证书)。Certificates are used in Azure for cloud services (service certificates) and for authenticating with the management API (management certificates). 本主题同时提供了有关这两种证书类型的一般概述,并说明了如何创建并将其部署到 Azure。This topic gives a general overview of both certificate types, how to create and deploy them to Azure.

在 Azure 中使用的证书是 x.509 v3 证书,且可由另一个受信任的证书进行签名或可进行自签名。Certificates used in Azure are x.509 v3 certificates and can be signed by another trusted certificate or they can be self-signed. 自签名的证书由其自己的创建者进行签名,因此,默认情况下不受信任。A self-signed certificate is signed by its own creator, therefore it is not trusted by default. 大多数浏览器可以忽略此问题。Most browsers can ignore this problem. 仅当开发和测试云服务时,才应使用自签名的证书。You should only use self-signed certificates when developing and testing your cloud services.

Azure 使用的证书可以包含一个私钥或公钥。Certificates used by Azure can contain a private or a public key. 证书具有指纹,它提供了一种可对证书进行明确识别的方法。Certificates have a thumbprint that provides a means to identify them in an unambiguous way. 该指纹用于在 Azure 配置文件中识别云服务应使用的证书。This thumbprint is used in the Azure configuration file to identify which certificate a cloud service should use.

备注

Azure 云服务不接受 AES256-SHA256 加密证书。Azure Cloud Services does not accept AES256-SHA256 encrypted certificate.

什么是服务证书?What are service certificates?

服务证书被附加到云服务,可实现与服务之间的安全通信。Service certificates are attached to cloud services and enable secure communication to and from the service. 例如,如果部署了 Web 角色,则需要提供可对公开 HTTPS 终结点进行身份验证的证书。For example, if you deployed a web role, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint. 在服务定义中定义的服务证书会自动部署到运行角色实例的虚拟机。Service certificates, defined in your service definition, are automatically deployed to the virtual machine that is running an instance of your role.

可使用 Azure 门户或使用经典部署模型将服务证书上传到 Azure。You can upload service certificates to Azure either using the Azure portal or by using the classic deployment model. 服务证书与特定云服务相关联。Service certificates are associated with a specific cloud service. 它们在服务定义文件中分配给部署。They are assigned to a deployment in the service definition file.

服务证书可与服务分开管理,且可由不同的人员管理。Service certificates can be managed separately from your services, and may be managed by different individuals. 例如,一名开发人员可以上传服务包,该服务包引用 IT 管理员以前上传到 Azure 的证书。For example, a developer may upload a service package that refers to a certificate that an IT manager has previously uploaded to Azure. IT 管理员可以管理并续订该证书(更改服务配置)而无需上传新的服务包。An IT manager can manage and renew that certificate (changing the configuration of the service) without needing to upload a new service package. 可以在没有新服务包的情况下进行更新的原因是,证书的逻辑名称、存储名称和位置是在服务定义文件中指定的,而证书指纹是在服务配置文件中指定的。Updating without a new service package is possible because the logical name, store name, and location of the certificate is in the service definition file and while the certificate thumbprint is specified in the service configuration file. 若要更新证书,只需上传新证书并更改服务配置文件中的指纹值。To update the certificate, it's only necessary to upload a new certificate and change the thumbprint value in the service configuration file.

备注

云服务常见问题一文包含有关证书的一些有用信息。The Cloud Services FAQ article has some helpful information about certificates.

什么是管理证书?What are management certificates?

管理证书使你可以使用经典部署模型进行身份验证。Management certificates allow you to authenticate with the classic deployment model. 许多程序和工具(如 Visual Studio 或 Azure SDK)会使用这些证书来自动配置和部署各种 Azure 服务。Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services. 实际上,这些证书与云服务并无关系。These are not really related to cloud services.

警告

请注意!Be careful! 这些类型的证书允许使用它们进行身份验证的任何人管理与其相关联的订阅。These types of certificates allow anyone who authenticates with them to manage the subscription they are associated with.

限制Limitations

每个订阅限最多可具有 100 个管理证书。There is a limit of 100 management certificates per subscription. 特定服务管理员的用户 ID 下的所有订阅同样最多只能具有 100 个管理证书。There is also a limit of 100 management certificates for all subscriptions under a specific service administrator’s user ID. 如果帐户管理员的用户 ID 已用于添加 100 个管理证书且需要更多证书,可以添加共同管理员以添加额外的证书。If the user ID for the account administrator has already been used to add 100 management certificates and there is a need for more certificates, you can add a co-administrator to add the additional certificates.

创建新的自签名证书Create a new self-signed certificate

可以使用任何可用工具创建自签名的证书,只要它们符合这些设置:You can use any tool available to create a self-signed certificate as long as they adhere to these settings:

  • X.509 证书。An X.509 certificate.

  • 包含私钥。Contains a private key.

  • 为密钥交换(.pfx 文件)而创建。Created for key exchange (.pfx file).

  • 使用者名称必须与用于访问云服务的域匹配。Subject name must match the domain used to access the cloud service.

    无法获取 cloudapp.net 域(或与 Azure 相关的任何域)的 SSL 证书;该证书的使用者名称必须与用于访问应用程序的自定义域名匹配。You cannot acquire an SSL certificate for the cloudapp.net (or for any Azure-related) domain; the certificate's subject name must match the custom domain name used to access your application. 例如,contoso.net,而不是 contoso.cloudapp.netFor example, contoso.net, not contoso.cloudapp.net.

  • 至少为 2048 位加密。Minimum of 2048-bit encryption.

  • 仅服务证书:客户端证书必须驻留在个人 证书存储区。Service Certificate Only: Client-side certificate must reside in the Personal certificate store.

有两种简单的方法可在 Windows 上创建证书,即使用 makecert.exe 实用程序或 IIS。There are two easy ways to create a certificate on Windows, with the makecert.exe utility, or IIS.

Makecert.exeMakecert.exe

此实用工具已被弃用,此处不再赘述。This utility has been deprecated and is no longer documented here. 有关详细信息,请参阅此 MSDN 文章For more information, see this MSDN article.

PowerShellPowerShell

$cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation "cert:\LocalMachine\My" -KeyLength 2048 -KeySpec "KeyExchange"
$password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath ".\my-cert-file.pfx" -Password $password

备注

如果要将此证书用于某个 IP 地址而不是域,请在 -DnsName 参数中使用该 IP 地址。If you want to use the certificate with an IP address instead of a domain, use the IP address in the -DnsName parameter.

如果要将此证书用于管理门户,请将其导出到 .cer 文件:If you want to use this certificate with the management portal, export it to a .cer file:

Export-Certificate -Type CERT -Cert $cert -FilePath .\my-cert-file.cer

Internet 信息服务 (IIS)Internet Information Services (IIS)

在 internet 上有许多页面,包含了有关如何使用 IIS 实现此操作的信息。There are many pages on the internet that cover how to do this with IIS. 此处就是一个很棒的页面,我认为它说明得很详细。Here is a great one I found that I think explains it well.

LinuxLinux

本文介绍如何通过 SSH 创建证书。This article describes how to create certificates with SSH.

后续步骤Next steps

将服务证书上传到 Azure 门户Upload your service certificate to the Azure portal.

管理 API 证书上传到 Azure 门户。Upload a management API certificate to the Azure portal.