產生 Azure Stack Hub 的憑證簽署要求Generate certificate signing requests for Azure Stack Hub

您可以使用 Azure Stack Hub 整備檢查工具,建立適用於 Azure Stack Hub 部署的憑證簽署要求 (CSR)。You can use the Azure Stack Hub Readiness Checker tool to create Certificate Signing Requests (CSRs) suitable for an Azure Stack Hub deployment. 應在部署前要求、產生及驗證憑證,才有足夠的時間進行測試。Certificates should be requested, generated, and validated with enough time to test before deployment. 您可以從 PowerShell 資源庫取得工具。You can get the tool from the PowerShell Gallery.

您可以使用 Azure Stack Hub 整備檢查工具 (AzsReadinessChecker) 來要求下列憑證:You can use the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) to request the following certificates:

必要條件Prerequisites

為 Azure Stack Hub 部署產生 PKI 憑證的任何 CSR 之前,您的系統應符合下列必要條件:Your system should meet the following prerequisites before generating any CSRs for PKI certificates for an Azure Stack Hub deployment:

  • Microsoft Azure Stack Hub 整備檢查工具Microsoft Azure Stack Hub Readiness Checker

  • 憑證屬性:Certificate attributes:

    • 區域名稱Region name
    • 外部完整網域名稱 (FQDN)External fully qualified domain name (FQDN)
    • 主體Subject
  • Windows 10 或 Windows Server 2016 或更新版本Windows 10 or Windows Server 2016 or later

    注意

    當您收到從憑證授權單位傳回的憑證時,您必須在相同系統中完成準備 Azure Stack Hub PKI 憑證中的步驟!When you receive your certificates back from your certificate authority, the steps in Prepare Azure Stack Hub PKI certificates will need to be completed on the same system!

產生新部署的憑證簽署要求Generate certificate signing requests for new deployments

使用下列步驟來準備新 Azure Stack Hub PKI 憑證的憑證簽署要求:Use these steps to prepare certificate signing requests for new Azure Stack Hub PKI certificates:

  1. 執行下列 Cmdlet,以從 PowerShell (5.1 或更新版本) 提示字元安裝 AzsReadinessChecker:Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:

        Install-Module Microsoft.AzureStack.ReadinessChecker
    
  2. 宣告 [主旨]。Declare the subject. 例如:For example:

    $subject = "C=US,ST=Washington,L=Redmond,O=Microsoft,OU=Azure Stack Hub"
    

    注意

    如果提供一般名稱 (CN),則會在每個憑證要求上進行設定。If a common name (CN) is supplied, it will be configured on every certificate request. 如果省略了 CN,則會在憑證要求上設定 Azure Stack Hub 服務的第一個 DNS 名稱。If a CN is omitted, the first DNS name of the Azure Stack Hub service will be configured on the certificate request.

  3. 宣告輸出目錄已經存在。Declare an output directory that already exists. 例如:For example:

    $outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"
    
  4. 宣告身分識別系統。Declare identity system.

    Azure Active Directory (Azure AD):Azure Active Directory (Azure AD):

    $IdentitySystem = "AAD"
    

    Active Directory 同盟服務 (AD FS):Active Directory Federation Services (AD FS):

    $IdentitySystem = "ADFS"
    

    注意

    只有 CertificateType 部署才需要此參數。The parameter is required only for CertificateType Deployment.

  5. 宣告預定用於 Azure Stack Hub 部署的 區域名稱外部 FQDNDeclare region name and an external FQDN intended for the Azure Stack Hub deployment.

    $regionName = 'east'
    $externalFQDN = 'azurestack.contoso.com'
    

    注意

    <regionName>.<externalFQDN> 構成 Azure Stack Hub 中所有外部 DNS 名稱據以建立的基礎。<regionName>.<externalFQDN> forms the basis on which all external DNS names in Azure Stack Hub are created. 在此範例中,入口網站會是 portal.east.azurestack.contoso.comIn this example, the portal would be portal.east.azurestack.contoso.com.

  6. 若要針對部署產生憑證簽署要求:To generate certificate signing requests for deployment:

    New-AzsHubDeploymentCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem
    

    若要產生其他 Azure Stack Hub 服務的憑證要求,請變更 -CertificateType 的值。To generate certificate requests for other Azure Stack Hub services, change the value for -CertificateType. 例如:For example:

    # App Services
    New-AzsHubAppServicesCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
    
    # DBAdapter
    New-AzsHubDbAdapterCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
    
    # EventHubs
    New-AzsHubEventHubsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
    
    # IoTHub
    New-AzsHubIoTHubCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
    
  7. 或者,對於開發/測試環境,若要產生具有多個主體別名的單一憑證要求,請新增 -RequestType SingleCSR 參數和值 ( 建議用於生產環境):Alternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):

    New-AzsHubDeploymentCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -RequestType SingleCSR -subject $subject -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem
    
  8. 檢閱輸出:Review the output:

    Starting Certificate Request Process for Deployment
    CSR generating for following SAN(s): *.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.blob.east.azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azurestack.contoso.com,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.com,adminmanagement.east.azurestack.contoso.com,adminportal.east.azurestack.contoso.com,management.east.azurestack.contoso.com,portal.east.azurestack.contoso.com
    Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\[*redacted*]\Documents\AzureStackCSR\Deployment_east_azurestack_contoso_com_SingleCSR_CertRequest_20200710165538.req
    Certreq.exe output: CertReq: Request Created
    
  9. 將所產生的 .REQ 檔案提交至您的 CA (內部或公用 CA)。Submit the .REQ file generated to your CA (either internal or public). New-AzsCertificateSigningRequest 的輸出目錄包含必須提交給「憑證授權單位」的 CSR。The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. 此目錄也包含一個子目錄供您參考,其中包含在憑證要求產生期間所使用的 INF 檔案。The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. 請確定您的 CA 會使用產生的要求來產生符合 Azure Stack Hub PKI 需求的憑證。Be sure that your CA generates certificates using your generated request that meet the Azure Stack Hub PKI Requirements.

產生憑證簽署要求以更新憑證Generate certificate signing requests for certificate renewal

使用下列步驟來準備憑證簽署要求,以更新現有 Azure Stack Hub PKI 憑證:Use these steps to prepare certificate signing requests for renewal of existing Azure Stack Hub PKI certificates:

  1. 執行下列 Cmdlet,以從 PowerShell (5.1 或更新版本) 提示字元安裝 AzsReadinessChecker:Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:

        Install-Module Microsoft.AzureStack.ReadinessChecker -Force -AllowPrerelease
    
  2. 以 Azure Stack Hub 系統的 regionname.domain.com 形式來宣告 stampEndpointDeclare the stampEndpoint in the form of regionname.domain.com of the Azure Stack Hub System. 例如 (是否) Azure Stack Hub 租使用者入口網站位址 https:// portal.east.azurestack.contoso.comFor example (if the Azure Stack Hub Tenant portal address is https://portal.east.azurestack.contoso.com):

    $stampEndpoint = 'east.azurestack.contoso.com'
    

    注意

    上述 Azure Stack Hub 系統需要 HTTPS 連接。HTTPS Connectivity is required for the Azure Stack Hub system above. 「準備就緒檢查程式」會使用 stampendpoint (區域和網域) 來建立憑證類型所需的現有憑證指標,例如,此工具會在前面加上「入口網站」的憑證,因此 portal.east.azurestack.contoso.com 會用於憑證複製、AppServices sso.appservices.east.azurestack.contoso.com 等等。系結至計算端點的憑證將用來複製屬性,例如主體、金鑰長度、簽章演算法。The Readiness Checker will use the stampendpoint (region and domain) to build a pointer to an existing certificates required by the certificate type e.g. for deployment certificates 'portal' is prepended, by the tool, so portal.east.azurestack.contoso.com is used in certificate cloning, for AppServices sso.appservices.east.azurestack.contoso.com etc. The certificate bound to the computed endpoint will be used to clone attributes such as subject, key length, signature algorithm. 如果您想要變更上述任何屬性,您應該遵循為 新部署產生憑證簽署要求 的步驟。If you wish to change any of these attributes you should follow the steps for Generate certificate signing request for new deployments instead.

  3. 宣告輸出目錄已經存在。Declare an output directory that already exists. 例如:For example:

    $outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"
    
  4. 若要針對部署產生憑證簽署要求:To generate certificate signing requests for deployment:

    New-AzsHubDeploymentCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    

    若要為其他 Azure Stack Hub 服務產生憑證要求,請使用:To generate certificate requests for other Azure Stack Hub services use:

    # App Services
    New-AzsHubAppServicesCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    
    # DBAdapter
    New-AzsHubDBAdapterCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    
    # EventHubs
    New-AzsHubEventHubsCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    
    # IoTHub
    New-AzsHubIotHubCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    
  5. 或者,對於開發/測試環境,若要產生具有多個主體別名的單一憑證要求,請新增 -RequestType SingleCSR 參數和值 ( 建議用於生產環境):Alternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):

    New-AzsHubDeploymentCertificateSigningRequest -StampEndpoint $stampendpoint -OutputRequestPath $OutputDirectory -RequestType SingleCSR
    
  6. 檢閱輸出:Review the output:

    Querying StampEndpoint portal.east.azurestack.contoso.com for existing certificate
    Starting Certificate Request Process for Deployment
    CSR generating for following SAN(s): *.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.blob.east.azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azurestack.contoso.com,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.com,adminmanagement.east.azurestack.contoso.com,adminportal.east.azurestack.contoso.com,management.east.azurestack.contoso.com,portal.east.azurestack.contoso.com
    Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\[*redacted*]\Documents\AzureStackCSR\Deployment_east_azurestack_contoso_com_SingleCSR_CertRequest_20200710122723.req
    Certreq.exe output: CertReq: Request Created
    
  7. 將所產生的 .REQ 檔案提交至您的 CA (內部或公用 CA)。Submit the .REQ file generated to your CA (either internal or public). New-AzsCertificateSigningRequest 的輸出目錄包含必須提交給「憑證授權單位」的 CSR。The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. 此目錄也包含一個子目錄供您參考,其中包含在憑證要求產生期間所使用的 INF 檔案。The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. 請確定您的 CA 會使用產生的要求來產生符合 Azure Stack Hub PKI 需求的憑證。Be sure that your CA generates certificates using your generated request that meet the Azure Stack Hub PKI Requirements.

後續步驟Next steps

準備 Azure Stack Hub PKI 憑證Prepare Azure Stack Hub PKI certificates