修正 Azure Stack Hub PKI 憑證的常見問題Fix common issues with Azure Stack Hub PKI certificates

本文中的資訊可協助您了解並解決 Azure Stack Hub PKI 憑證的常見問題。The information in this article helps you understand and resolve common issues with Azure Stack Hub PKI certificates. 當您使用 Azure Stack Hub 整備檢查程式工具來驗證 Azure Stack Hub PKI 憑證時,可以探索到問題。You can discover issues when you use the Azure Stack Hub Readiness Checker tool to validate Azure Stack Hub PKI certificates. 此工具會檢查憑證是否符合 Azure Stack Hub 部署和 Azure Stack Hub 祕密輪替的 PKI 需求,然後將結果記錄在 report.json 檔案中。The tool checks if the certificates meet the PKI requirements of an Azure Stack Hub deployment and Azure Stack Hub secret rotation, and then logs the results to a report.json file.

HTTP CRL-警告HTTP CRL - Warning

問題 -憑證不包含 CDP 延伸中的 HTTP CRL。Issue - Certificate does not contain HTTP CRL in CDP Extension.

修正 -這是非封鎖的問題。Fix - This is a non-blocking issue. Azure Stack 需要根據 Azure Stack Hub 的公開金鑰基礎結構 (PKI) 憑證需求的 HTTP CRL 進行撤銷檢查。Azure Stack requires HTTP CRL for revocation checking as per Azure Stack Hub public key infrastructure (PKI) certificate requirements. 憑證上未偵測到 HTTP CRL。A HTTP CRL was not detected on the certificate. 為了確保憑證撤銷檢查可正常運作,憑證授權單位單位應該在 CDP 延伸模組中使用 HTTP CRL 發出憑證。To ensure certificate revocation checking works, the Certificate Authority should issue a certificate with a HTTP CRL in the CDP extension.

HTTP CRL-失敗HTTP CRL - Fail

問題 -無法連線到 CDP 延伸模組中的 HTTP CRL。Issue - Cannot connect to HTTP CRL in CDP Extension.

修正 -這是封鎖的問題。Fix - This is a blocking issue. Azure Stack 需要連線到 HTTP CRL,以根據 發佈 Azure Stack Hub 埠和 url (輸出) 來進行撤銷檢查。Azure Stack requires connectivity to a HTTP CRL for revocation checking as per Publishing Azure Stack Hub Ports and URLs (outbound).

PFX 加密PFX Encryption

問題 - 「PFX 加密」不是 TripleDES-SHA1。Issue - PFX encryption isn't TripleDES-SHA1.

修正 - 匯出採用 TripleDES-SHA1 加密的 PFX 檔案。Fix - Export PFX files with TripleDES-SHA1 encryption. 從憑證嵌入式管理單元匯出或使用 Export-PFXCertificate 時,這是所有 Windows 10 用戶端的預設加密。This is the default encryption for all Windows 10 clients when exporting from certificate snap-in or using Export-PFXCertificate.

讀取 PFXRead PFX

警告 - 密碼只會保護憑證中的私人資訊。Warning - Password only protects the private information in the certificate.

修正 - 使用 [啟用憑證隱私權] 的選用設定將 PFX 檔案匯出。Fix - Export PFX files with the optional setting for Enable certificate privacy.

問題 - PFX 檔案無效。Issue - PFX file invalid.

修正 - 使用 準備 Azure Stack Hub PKI 憑證以進行部署中的步驟,將憑證重新匯出。Fix - Re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment.

簽章演算法Signature algorithm

問題 - 簽章演算法是 SHA1。Issue - Signature algorithm is SHA1.

修正 - 使用「Azure Stack Hub 憑證簽署要求產生」中的步驟,重新產生具有 SHA256 簽章演算法的憑證簽署要求 (CSR)。Fix - Use the steps in Azure Stack Hub certificates signing request generation to regenerate the certificate signing request (CSR) with the signature algorithm of SHA256. 然後將 CSR 重新提交至憑證授權單位,以重新發行憑證。Then resubmit the CSR to the certificate authority to reissue the certificate.

私密金鑰Private key

問題 - 私密金鑰遺失或不包含本機電腦屬性。Issue - The private key is missing or doesn't contain the local machine attribute.

修正 - 從產生 CSR 的電腦中,使用 準備 Azure Stack Hub PKI 憑證以進行部署中的步驟,將憑證重新匯出。Fix - From the computer that generated the CSR, re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment. 這些步驟包括從本機電腦憑證存放區匯出。These steps include exporting from the local machine certificate store.

憑證鏈結Certificate chain

問題 - 憑證鏈結不完整。Issue - Certificate chain isn't complete.

修正 - 憑證應該包含完整的憑證鏈結。Fix - Certificates should contain a complete certificate chain. 使用準備 Azure Stack PKI 憑證以進行部署中的步驟將憑證重新匯出,並選取 [如果可能的話,包含憑證路徑中的所有憑證] 選項。Re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment and select the option Include all certificates in the certification path if possible.

DNS 名稱DNS names

問題 - 憑證上的 DNSNameList 不包含 Azure Stack Hub 服務端點名稱或有效的萬用字元比對。Issue - The DNSNameList on the certificate doesn't contain the Azure Stack Hub service endpoint name or a valid wildcard match. 萬用字元比對僅對 DNS 名稱最左邊的命名空間有效。Wildcard matches are only valid for the left-most namespace of the DNS name. 例如,*.region.domain.com 只對 portal.region.domain.com 有效,對 *.table.region.domain.com 則無效。For example, *.region.domain.com is only valid for portal.region.domain.com, not *.table.region.domain.com.

修正 - 使用「Azure Stack Hub 憑證簽署要求產生」中的步驟,重新產生具有正確 DNS 名稱可支援 Azure Stack Hub 端點的 CSR。Fix - Use the steps in Azure Stack Hub certificates signing request generation to regenerate the CSR with the correct DNS names to support Azure Stack Hub endpoints. 將 CSR 重新提交至憑證授權單位。Resubmit the CSR to a certificate authority. 然後遵循準備 Azure Stack Hub PKI 憑證以進行部署中的步驟,從產生 CSR 的電腦匯出憑證。Then follow the steps in Prepare Azure Stack Hub PKI certificates for deployment to export the certificate from the machine that generated the CSR.

金鑰使用量Key usage

問題 - 金鑰使用方式遺失數位簽章或金鑰加密、或增強金鑰使用方式遺失伺服器驗證或用戶端驗證。Issue - Key usage is missing digital signature or key encipherment, or enhanced key usage is missing server authentication or client authentication.

修正 - 使用 Azure Stack Hub 憑證簽署要求產生中的步驟,重新產生具有正確金鑰使用方式屬性的 CSR。Fix - Use the steps in Azure Stack Hub certificates signing request generation to regenerate the CSR with the correct key usage attributes. 將 CSR 重新提交至憑證授權單位,並確認憑證範本不會覆寫要求中的金鑰使用方式。Resubmit the CSR to the certificate authority and confirm that a certificate template isn't overwriting the key usage in the request.

金鑰大小Key size

問題 - 金鑰大小小於 2048。Issue - Key size is smaller than 2048.

修正 - 使用 Azure Stack Hub 憑證簽署要求產生中的步驟,重新產生具有正確金鑰長度 (2048) 的 CSR,然後將 CSR 重新提交至憑證授權單位。Fix - Use the steps in Azure Stack Hub certificates signing request generation to regenerate the CSR with the correct key length (2048), and then resubmit the CSR to the certificate authority.

鏈結順序Chain order

問題 - 憑證鏈結的順序不正確。Issue - The order of the certificate chain is incorrect.

修正 - 使用 準備 Azure Stack Hub PKI 憑證以進行部署中的步驟將憑證重新匯出,並選取 [如果可能的話,包含憑證路徑中的所有憑證] 選項。Fix - Re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment and select the option Include all certificates in the certification path if possible. 確定僅選取分葉憑證以進行匯出。Ensure that only the leaf certificate is selected for export.

其他憑證Other certificates

問題 - PFX 套件包含的憑證不是分葉憑證或不屬於憑證鏈結。Issue - The PFX package contains certificates that aren't the leaf certificate or part of the certificate chain.

修正 - 使用 準備 Azure Stack Hub PKI 憑證以進行部署中的步驟將憑證重新匯出,並選取 [如果可能的話,包含憑證路徑中的所有憑證] 選項。Fix - Re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment, and select the option Include all certificates in the certification path if possible. 確定僅選取分葉憑證以進行匯出。Ensure that only the leaf certificate is selected for export.

修正常見的封裝問題Fix common packaging issues

AzsReadinessChecker 工具包含名為 Repair-AzsPfxCertificate 的協助程式 Cmdlet,可用來匯入 PFX 檔案然後再加以匯出,以修正常見的封裝問題,包括:The AzsReadinessChecker tool contains a helper cmdlet called Repair-AzsPfxCertificate, which can import and then export a PFX file to fix common packaging issues, including:

  • PFX 加密 不是 TripleDES-SHA1。PFX encryption isn't TripleDES-SHA1.
  • 私密金鑰 遺失本機電腦屬性。Private key is missing local machine attribute.
  • 「憑證鏈結」不完整或錯誤。Certificate chain is incomplete or wrong. 如果 PFX 套件不包含憑證鏈結,則本機電腦必須包含憑證鏈結。The local machine must contain the certificate chain if the PFX package doesn't.
  • 其他憑證Other certificates

如果您需要產生新的 CSR,然後重新發出憑證,Repair-AzsPfxCertificate 就幫不上忙。Repair-AzsPfxCertificate can't help if you need to generate a new CSR and reissue a certificate.

必要條件Prerequisites

在執行此工具的電腦上必須將下列先決條件準備就緒:The following prerequisites must be in place on the computer on which the tool runs:

匯入和匯出現有的 PFX 檔案Import and export an existing PFX File

  1. 在符合必要條件的電腦上,開啟提高權限的 PowerShell 提示字元,然後執行下列命令以安裝 Azure Stack Hub 整備檢查程式:On a computer that meets the prerequisites, open an elevated PowerShell prompt, and then run the following command to install the Azure Stack Hub readiness checker:

    Install-Module Microsoft.AzureStack.ReadinessChecker -Force -AllowPrerelease
    
  2. 從 PowerShell 提示字元中,執行下列 Cmdlet 以設定 PFX 密碼。From the PowerShell prompt, run the following cmdlet to set the PFX password. 出現提示時,請輸入密碼:Enter the password when prompted:

    $password = Read-Host -Prompt "Enter password" -AsSecureString
    
  3. 從 PowerShell 提示字元中執行下列命令,以匯出新的 PFX 檔案:From the PowerShell prompt, run the following command to export a new PFX file:

    • 針對 -PfxPath,指定前往您正在使用的 PFX 檔案的路徑。For -PfxPath, specify the path to the PFX file you're working with. 在下列範例中,路徑是 .\certificates\ssl.pfxIn the following example, the path is .\certificates\ssl.pfx.
    • 針對 -ExportPFXPath,指定要進行匯出的 PFX 檔案的位置和名稱。For -ExportPFXPath, specify the location and name of the PFX file for export. 在下列範例中,路徑是 .\certificates\ssl_new.pfxIn the following example, the path is .\certificates\ssl_new.pfx:
    Repair-AzsPfxCertificate -PfxPassword $password -PfxPath .\certificates\ssl.pfx -ExportPFXPath .\certificates\ssl_new.pfx
    
  4. 此工具完成之後,檢閱輸出確認是否成功:After the tool completes, review the output for success:

    Repair-AzsPfxCertificate v1.1809.1005.1 started.
    Starting Azure Stack Hub Certificate Import/Export
    Importing PFX .\certificates\ssl.pfx into Local Machine Store
    Exporting certificate to .\certificates\ssl_new.pfx
    Export complete. Removing certificate from the local machine store.
    Removal complete.
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Repair-AzsPfxCertificate Completed
    

後續步驟Next steps