產生 Azure Stack Hub 的憑證簽署要求Generate certificate signing requests for Azure Stack Hub
您可以使用 Azure Stack Hub 整備檢查工具,建立適用於 Azure Stack Hub 部署的憑證簽署要求 (CSR)。You can use the Azure Stack Hub Readiness Checker tool to create Certificate Signing Requests (CSRs) suitable for an Azure Stack Hub deployment. 應在部署前要求、產生及驗證憑證,才有足夠的時間進行測試。Certificates should be requested, generated, and validated with enough time to test before deployment. 您可以從 PowerShell 資源庫取得工具。You can get the tool from the PowerShell Gallery.
您可以使用 Azure Stack Hub 整備檢查工具 (AzsReadinessChecker) 來要求下列憑證:You can use the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) to request the following certificates:
- 根據為 新部署產生憑證簽署要求的標準憑證要求。Standard Certificate Requests according to Generate certificate signing request for new deployments.
- 根據 產生憑證更新的憑證簽署要求來 更新憑證要求。Renewal Certificate Requests according to Generate certificate signing request for certificate renewal.
- 平臺即服務:您可以要求平臺即服務 (PaaS) 名稱,如同 Azure Stack Hub 公開金鑰基礎結構憑證需求-選用的 PaaS 憑證中所指定的憑證。Platform-as-a-Service: You can request platform-as-a-service (PaaS) names for certificates as specified in Azure Stack Hub Public Key Infrastructure certificate requirements - Optional PaaS Certificates.
必要條件Prerequisites
為 Azure Stack Hub 部署產生 PKI 憑證的任何 CSR 之前,您的系統應符合下列必要條件:Your system should meet the following prerequisites before generating any CSRs for PKI certificates for an Azure Stack Hub deployment:
Microsoft Azure Stack Hub 整備檢查工具Microsoft Azure Stack Hub Readiness Checker
憑證屬性:Certificate attributes:
- 區域名稱Region name
- 外部完整網域名稱 (FQDN)External fully qualified domain name (FQDN)
- 主體Subject
Windows 10 或 Windows Server 2016 或更新版本Windows 10 or Windows Server 2016 or later
注意
當您收到從憑證授權單位傳回的憑證時,您必須在相同系統中完成準備 Azure Stack Hub PKI 憑證中的步驟!When you receive your certificates back from your certificate authority, the steps in Prepare Azure Stack Hub PKI certificates will need to be completed on the same system!
產生新部署的憑證簽署要求Generate certificate signing requests for new deployments
使用下列步驟來準備新 Azure Stack Hub PKI 憑證的憑證簽署要求:Use these steps to prepare certificate signing requests for new Azure Stack Hub PKI certificates:
執行下列 Cmdlet,以從 PowerShell (5.1 或更新版本) 提示字元安裝 AzsReadinessChecker:Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:
Install-Module Microsoft.AzureStack.ReadinessChecker
宣告 [主旨]。Declare the subject. 例如:For example:
$subject = "C=US,ST=Washington,L=Redmond,O=Microsoft,OU=Azure Stack Hub"
注意
如果提供一般名稱 (CN),則會在每個憑證要求上進行設定。If a common name (CN) is supplied, it will be configured on every certificate request. 如果省略了 CN,則會在憑證要求上設定 Azure Stack Hub 服務的第一個 DNS 名稱。If a CN is omitted, the first DNS name of the Azure Stack Hub service will be configured on the certificate request.
宣告輸出目錄已經存在。Declare an output directory that already exists. 例如:For example:
$outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"
宣告身分識別系統。Declare identity system.
Azure Active Directory (Azure AD):Azure Active Directory (Azure AD):
$IdentitySystem = "AAD"
Active Directory 同盟服務 (AD FS):Active Directory Federation Services (AD FS):
$IdentitySystem = "ADFS"
注意
只有 CertificateType 部署才需要此參數。The parameter is required only for CertificateType Deployment.
宣告預定用於 Azure Stack Hub 部署的 區域名稱 和 外部 FQDN。Declare region name and an external FQDN intended for the Azure Stack Hub deployment.
$regionName = 'east' $externalFQDN = 'azurestack.contoso.com'
注意
<regionName>.<externalFQDN>
構成 Azure Stack Hub 中所有外部 DNS 名稱據以建立的基礎。<regionName>.<externalFQDN>
forms the basis on which all external DNS names in Azure Stack Hub are created. 在此範例中,入口網站會是portal.east.azurestack.contoso.com
。In this example, the portal would beportal.east.azurestack.contoso.com
.若要針對部署產生憑證簽署要求:To generate certificate signing requests for deployment:
New-AzsHubDeploymentCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem
若要產生其他 Azure Stack Hub 服務的憑證要求,請變更
-CertificateType
的值。To generate certificate requests for other Azure Stack Hub services, change the value for-CertificateType
. 例如:For example:# App Services New-AzsHubAppServicesCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory # DBAdapter New-AzsHubDbAdapterCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory # EventHubs New-AzsHubEventHubsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory # IoTHub New-AzsHubIoTHubCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
或者,對於開發/測試環境,若要產生具有多個主體別名的單一憑證要求,請新增 -RequestType SingleCSR 參數和值 (不 建議用於生產環境):Alternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):
New-AzsHubDeploymentCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -RequestType SingleCSR -subject $subject -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem
檢閱輸出:Review the output:
Starting Certificate Request Process for Deployment CSR generating for following SAN(s): *.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.blob.east.azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azurestack.contoso.com,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.com,adminmanagement.east.azurestack.contoso.com,adminportal.east.azurestack.contoso.com,management.east.azurestack.contoso.com,portal.east.azurestack.contoso.com Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\[*redacted*]\Documents\AzureStackCSR\Deployment_east_azurestack_contoso_com_SingleCSR_CertRequest_20200710165538.req Certreq.exe output: CertReq: Request Created
將所產生的 .REQ 檔案提交至您的 CA (內部或公用 CA)。Submit the .REQ file generated to your CA (either internal or public). New-AzsCertificateSigningRequest 的輸出目錄包含必須提交給「憑證授權單位」的 CSR。The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. 此目錄也包含一個子目錄供您參考,其中包含在憑證要求產生期間所使用的 INF 檔案。The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. 請確定您的 CA 會使用產生的要求來產生符合 Azure Stack Hub PKI 需求的憑證。Be sure that your CA generates certificates using your generated request that meet the Azure Stack Hub PKI Requirements.
產生憑證簽署要求以更新憑證Generate certificate signing requests for certificate renewal
使用下列步驟來準備憑證簽署要求,以更新現有 Azure Stack Hub PKI 憑證:Use these steps to prepare certificate signing requests for renewal of existing Azure Stack Hub PKI certificates:
執行下列 Cmdlet,以從 PowerShell (5.1 或更新版本) 提示字元安裝 AzsReadinessChecker:Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:
Install-Module Microsoft.AzureStack.ReadinessChecker -Force -AllowPrerelease
以 Azure Stack Hub 系統的 regionname.domain.com 形式來宣告 stampEndpoint 。Declare the stampEndpoint in the form of regionname.domain.com of the Azure Stack Hub System. 例如 (是否) Azure Stack Hub 租使用者入口網站位址
https://
portal.east.azurestack.contoso.com
:For example (if the Azure Stack Hub Tenant portal address ishttps://
portal.east.azurestack.contoso.com
):$stampEndpoint = 'east.azurestack.contoso.com'
注意
上述 Azure Stack Hub 系統需要 HTTPS 連接。HTTPS Connectivity is required for the Azure Stack Hub system above. 「準備就緒檢查程式」會使用 stampendpoint (區域和網域) 來建立憑證類型所需的現有憑證指標,例如,此工具會在前面加上「入口網站」的憑證,因此 portal.east.azurestack.contoso.com 會用於憑證複製、AppServices sso.appservices.east.azurestack.contoso.com 等等。系結至計算端點的憑證將用來複製屬性,例如主體、金鑰長度、簽章演算法。The Readiness Checker will use the stampendpoint (region and domain) to build a pointer to an existing certificates required by the certificate type e.g. for deployment certificates 'portal' is prepended, by the tool, so portal.east.azurestack.contoso.com is used in certificate cloning, for AppServices sso.appservices.east.azurestack.contoso.com etc. The certificate bound to the computed endpoint will be used to clone attributes such as subject, key length, signature algorithm. 如果您想要變更上述任何屬性,您應該遵循為 新部署產生憑證簽署要求 的步驟。If you wish to change any of these attributes you should follow the steps for Generate certificate signing request for new deployments instead.
宣告輸出目錄已經存在。Declare an output directory that already exists. 例如:For example:
$outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"
若要針對部署產生憑證簽署要求:To generate certificate signing requests for deployment:
New-AzsHubDeploymentCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
若要為其他 Azure Stack Hub 服務產生憑證要求,請使用:To generate certificate requests for other Azure Stack Hub services use:
# App Services New-AzsHubAppServicesCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory # DBAdapter New-AzsHubDBAdapterCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory # EventHubs New-AzsHubEventHubsCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory # IoTHub New-AzsHubIotHubCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
或者,對於開發/測試環境,若要產生具有多個主體別名的單一憑證要求,請新增 -RequestType SingleCSR 參數和值 (不 建議用於生產環境):Alternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):
New-AzsHubDeploymentCertificateSigningRequest -StampEndpoint $stampendpoint -OutputRequestPath $OutputDirectory -RequestType SingleCSR
檢閱輸出:Review the output:
Querying StampEndpoint portal.east.azurestack.contoso.com for existing certificate Starting Certificate Request Process for Deployment CSR generating for following SAN(s): *.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.blob.east.azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azurestack.contoso.com,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.com,adminmanagement.east.azurestack.contoso.com,adminportal.east.azurestack.contoso.com,management.east.azurestack.contoso.com,portal.east.azurestack.contoso.com Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\[*redacted*]\Documents\AzureStackCSR\Deployment_east_azurestack_contoso_com_SingleCSR_CertRequest_20200710122723.req Certreq.exe output: CertReq: Request Created
將所產生的 .REQ 檔案提交至您的 CA (內部或公用 CA)。Submit the .REQ file generated to your CA (either internal or public). New-AzsCertificateSigningRequest 的輸出目錄包含必須提交給「憑證授權單位」的 CSR。The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. 此目錄也包含一個子目錄供您參考,其中包含在憑證要求產生期間所使用的 INF 檔案。The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. 請確定您的 CA 會使用產生的要求來產生符合 Azure Stack Hub PKI 需求的憑證。Be sure that your CA generates certificates using your generated request that meet the Azure Stack Hub PKI Requirements.
後續步驟Next steps
準備 Azure Stack Hub PKI 憑證Prepare Azure Stack Hub PKI certificates