驗證 Azure Stack Hub PKI 憑證Validate Azure Stack Hub PKI certificates

從 PowerShell 資源庫可取得本文中所述的 Azure Stack Hub 整備檢查工具。The Azure Stack Hub Readiness Checker tool described in this article is available from the PowerShell Gallery. 使用此工具來驗證產生的公開金鑰基礎結構 (PKI) 憑證是否適用於預先部署。Use the tool to validate that generated public key infrastructure (PKI) certificates are suitable for pre-deployment. 保留足夠的時間來測試及重新發出憑證,以驗證憑證 (如有需要的話)。Validate certificates by leaving enough time to test and reissue certificates if necessary.

整備檢查工具會執行下列憑證驗證:The Readiness Checker tool performs the following certificate validations:

  • 剖析 PFXParse PFX
    確認 PFX 檔案有效且密碼正確,以及公用資訊是否未受密碼保護。Checks for valid PFX file, correct password, and whether the public information is protected by the password.
  • 到期日Expiry Date
    檢查是否有最少七天的有效期限。Checks for minimum validity of seven days.
  • 簽章演算法Signature algorithm
    確認簽章演算法不是 SHA1。Checks that the signature algorithm isn't SHA1.
  • 私密金鑰Private Key
    確認私密金鑰存在,且是以本機電腦屬性匯出。Checks that the private key is present and is exported with the local machine attribute.
  • 信任鏈結Cert chain
    確認信任鏈結完整包括自我簽署憑證的檢查。Checks certificate chain is intact including a check for self-signed certificates.
  • DNS 名稱DNS names
    檢查 SAN 包含每個端點的相關 DNS 名稱,或支援萬用字元是否存在。Checks the SAN contains relevant DNS names for each endpoint or if a supporting wildcard is present.
  • 金鑰使用方式Key usage
    檢查金鑰使用方式是否包含數位簽章和金鑰加密,並檢查增強金鑰使用方法是否包含伺服器驗證和用戶端驗證。Checks if the key usage contains a digital signature and key encipherment and checks if enhanced key usage contains server authentication and client authentication.
  • 金鑰大小Key size
    確認金鑰大小為 2048 或更大。Checks if the key size is 2048 or larger.
  • 鏈結順序Chain order
    檢查其他鏈結的順序,確認順序正確。Checks the order of the other certificates validating that the order is correct.
  • 其他憑證Other certificates
    請確定除了相關的分葉憑證及其鏈結之外,PFX 中沒有封裝其他憑證。Ensure no other certificates have been packaged in PFX other than the relevant leaf certificate and its chain.

重要

PKI 憑證是 PFX 檔案,且密碼都應該視為機密資訊。The PKI certificate is a PFX file and password should be treated as sensitive information.

PrerequisitesPrerequisites

在驗證 Azure Stack Hub 部署的 PKI 憑證之前,您的系統應該符合下列必要條件:Your system should meet the following prerequisites before validating PKI certificates for an Azure Stack Hub deployment:

  • Microsoft Azure Stack Hub 整備檢查工具。Microsoft Azure Stack Hub Readiness Checker.
  • 遵循準備指示匯出的 SSL 憑證。SSL Certificate(s) exported following the preparation instructions.
  • DeploymentData.json。DeploymentData.json.
  • Windows 10 或 Windows Server 2016。Windows 10 or Windows Server 2016.

執行核心服務憑證驗證Perform core services certificate validation

使用這些步驟來驗證用於部署和秘密輪替的 Azure Stack Hub PKI 憑證:Use these steps to validate the Azure Stack Hub PKI certificates for deployment and secret rotation:

  1. 執行下列 Cmdlet,以從 PowerShell (5.1 或更新版本) 提示字元安裝 AzsReadinessCheckerInstall AzsReadinessChecker from a PowerShell prompt (5.1 or above) by running the following cmdlet:

        Install-Module Microsoft.AzureStack.ReadinessChecker -Force -AllowPrerelease
    
  2. 建立憑證目錄結構。Create the certificate directory structure. 在下列範例中,您可以將 <C:\Certificates\Deployment> 變更為您所選擇的新目錄路徑。In the example below, you can change <C:\Certificates\Deployment> to a new directory path of your choice.

    New-Item C:\Certificates\Deployment -ItemType Directory
    
    $directories = 'ACSBlob', 'ACSQueue', 'ACSTable', 'Admin Extension Host', 'Admin Portal', 'ARM Admin', 'ARM Public', 'KeyVault', 'KeyVaultInternal', 'Public Extension Host', 'Public Portal'
    
    $destination = 'C:\Certificates\Deployment'
    
    $directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force}
    

    注意

    如果您使用 AD FS 作為身分識別系統,則需要 AD FS 和 Graph。AD FS and Graph are required if you're using AD FS as your identity system. 例如:For example:

    $directories = 'ACSBlob', 'ACSQueue', 'ACSTable', 'ADFS', 'Admin Extension Host', 'Admin Portal', 'ARM Admin', 'ARM Public', 'Graph', 'KeyVault', 'KeyVaultInternal', 'Public Extension Host', 'Public Portal'
    
    • 將您的憑證放在上一個步驟中建立的適當目錄。Place your certificate(s) in the appropriate directories created in the previous step. 例如:For example:
      • C:\Certificates\Deployment\ACSBlob\CustomerCertificate.pfx
      • C:\Certificates\Deployment\Admin Portal\CustomerCertificate.pfx
      • C:\Certificates\Deployment\ARM Admin\CustomerCertificate.pfx
  3. 在 PowerShell 視窗中,將 RegionNameFQDNIdentitySystem 的值變更為適合 Azure Stack Hub 環境的值,並執行下列 Cmdlet:In the PowerShell window, change the values of RegionName, FQDN and IdentitySystem appropriate to the Azure Stack Hub environment and run the following cmdlet:

    $pfxPassword = Read-Host -Prompt "Enter PFX Password" -AsSecureString 
    Invoke-AzsHubDeploymentCertificateValidation -CertificatePath C:\Certificates\Deployment -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com -IdentitySystem AAD  
    
  4. 檢查輸出,並確定所有憑證都通過所有測試。Check the output and ensure that all certificates pass all tests. 例如:For example:

    Invoke-AzsHubDeploymentCertificateValidation v1.2005.1286.272 started.
    Testing: KeyVaultInternal\KeyVaultInternal.pfx
    Thumbprint: E86699****************************4617D6
        PFX Encryption: OK
        Expiry Date: OK
        Signature Algorithm: OK
        DNS Names: OK
        Key Usage: OK
        Key Length: OK
        Parse PFX: OK
        Private Key: OK
        Cert Chain: OK
        Chain Order: OK
        Other Certificates: OK
    Testing: ARM Public\ARMPublic.pfx
    Thumbprint: 8DC4D9****************************69DBAA
        PFX Encryption: OK
        Expiry Date: OK
        Signature Algorithm: OK
        DNS Names: OK
        Key Usage: OK
        Key Length: OK
        Parse PFX: OK
        Private Key: OK
        Cert Chain: OK
        Chain Order: OK
        Other Certificates: OK
    Testing: Admin Portal\AdminPortal.pfx
    Thumbprint: 6F9055****************************4AC0EA
        PFX Encryption: OK
        Expiry Date: OK
        Signature Algorithm: OK
        DNS Names: OK
        Key Usage: OK
        Key Length: OK
        Parse PFX: OK
        Private Key: OK
        Cert Chain: OK
        Chain Order: OK
        Other Certificates: OK
    Testing: Public Portal\PublicPortal.pfx
    
    
    Log location (contains PII): C:\Users\[*redacted*]\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Report location (contains PII): C:\Users\[*redacted*]\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    Invoke-AzsHubDeploymentCertificateValidation Completed
    
    

    若要驗證其他 Azure Stack Hub 服務的憑證,請變更 -CertificateType 的值。To validate certificates for other Azure Stack Hub services, change the value for -CertificateType. 例如:For example:

    # App Services
    Invoke-AzsHubAppServicesCertificateValidation -CertificatePath C:\Certificates\AppServices -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com
    
    # DBAdapter
    Invoke-AzsHubDBAdapterCertificateValidation -CertificatePath C:\Certificates\DBAdapter -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com
    
    # EventHubs
    Invoke-AzsHubEventHubsCertificateValidation -CertificatePath C:\Certificates\EventHubs -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com
    
    # IoTHub
    Invoke-AzsHubIoTHubCertificateValidation -CertificatePath C:\Certificates\IoTHub -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com
    

    每個資料夾都應該包含適用於該憑證類型的單一 PFX 檔案。Each folder should contain a single PFX file for the certificate type. 如果憑證類型有多憑證需求,則每個個別憑證都應該會有巢狀資料夾,且資料夾的名稱必須有所區別。If a certificate type has multi-certificate requirements, nested folders for each individual certificate are expected and name-sensitive. 下列程式碼顯示所有憑證類型的範例資料夾/憑證結構,以及 -CertificateType-CertificatePath 的適當值。The following code shows an example folder/certificate structure for all certificate types, and the appropriate value for -CertificateType and -CertificatePath.

    C:\>tree c:\SecretStore /A /F
        Folder PATH listing
        Volume serial number is 85AE-DF2E
        C:\SECRETSTORE
        \---AzureStack
            +---CertificateRequests
            \---Certificates
                +---AppServices         # Invoke-AzsCertificateValidation `
                |   +---API             #     -CertificateType AppServices `
                |   |       api.pfx     #     -CertificatePath C:\Certificates\AppServices
                |   |
                |   +---DefaultDomain
                |   |       wappsvc.pfx
                |   |
                |   +---Identity
                |   |       sso.pfx
                |   |
                |   \---Publishing
                |           ftp.pfx
                |
                +---DBAdapter           # Invoke-AzsCertificateValidation `
                |       dbadapter.pfx   #   -CertificateType DBAdapter `
                |                       #   -CertificatePath C:\Certificates\DBAdapter
                |
                +---Deployment          # Invoke-AzsCertificateValidation `
                |   +---ACSBlob         #   -CertificateType Deployment `
                |   |       acsblob.pfx #   -CertificatePath C:\Certificates\Deployment
                |   |
                |   +---ACSQueue
                |   |       acsqueue.pfx
               ./. ./. ./. ./. ./. ./. ./.    <- Deployment certificate tree trimmed.
                |   \---Public Portal
                |           portal.pfx
                |
                +---EventHubs           # Invoke-AzsCertificateValidation `
                |       eventhubs.pfx   #   -CertificateType EventHubs `
                |                       #   -CertificatePath C:\Certificates\EventHubs
                |
                \---IoTHub              # Invoke-AzsCertificateValidation `
                        iothub.pfx      #   -CertificateType IoTHub `
                                        #   -CertificatePath C:\Certificates\IoTHub
    

已知問題Known issues

徵兆:測試會略過Symptom: Tests are skipped

原因︰如果不符合相依性,AzsReadinessChecker 會略過某些測試:Cause: AzsReadinessChecker skips certain tests if a dependency isn't met:

  • 如果信任鏈結失敗,則會略過其他憑證。Other certificates are skipped if certificate chain fails.

    Testing: ACSBlob\singlewildcard.pfx
        Read PFX: OK
        Signature Algorithm: OK
        Private Key: OK
        Cert Chain: OK
        DNS Names: Fail
        Key Usage: OK
        Key Size: OK
        Chain Order: OK
        Other Certificates: Skipped
    Details:
    The certificate records '*.east.azurestack.contoso.com' do not contain a record that is valid for '*.blob.east.azurestack.contoso.com'. Please refer to the documentation for how to create the required certificate file.
    The Other Certificates check was skipped because Cert Chain and/or DNS Names failed. Follow the guidance to remediate those issues and recheck. 
    
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json
    Invoke-AzsCertificateValidation Completed
    

解決方法:遵循每個憑證測試集合下詳細資料區段中的工具指引。Resolution: Follow the tool's guidance in the details section under each set of tests for each certificate.

徵兆:儘管將 HTTP CDP 寫入 x509 擴充功能,Http CRL 檢查仍會失敗。Symptom: HTTP CRL Checking fails despite having an HTTP CDP written to x509 extensions.

原因:目前 AzsReadinessChecker 無法檢查某些語言的 HTTP CDP。Cause: Currently, AzsReadinessChecker can't check for HTTP CDP in some languages.

解決 方式:執行作業系統語言設定為 en-us 的驗證。Resolution: Run validation with OS language set to EN-US.

憑證Certificates

目錄Directory 憑證Certificate
ACSBlobACSBlob wildcard_blob_<region>_<externalFQDN>
ACSQueueACSQueue wildcard_queue_<region>_<externalFQDN>
ACSTableACSTable wildcard_table_<region>_<externalFQDN>
管理員延伸主機Admin Extension Host wildcard_adminhosting_<region>_<externalFQDN>
管理入口網站Admin Portal adminportal_<region>_<externalFQDN>
SSL 管理員ARM Admin adminmanagement_<region>_<externalFQDN>
ARM 公用ARM Public management_<region>_<externalFQDN>
KeyVaultKeyVault wildcard_vault_<region>_<externalFQDN>
KeyVaultInternalKeyVaultInternal wildcard_adminvault_<region>_<externalFQDN>
公用延伸主機Public Extension Host wildcard_hosting_<region>_<externalFQDN>
公用入口網站Public Portal portal_<region>_<externalFQDN>

使用驗證的憑證Using validated certificates

一旦您的憑證通過 AzsReadinessChecker 的驗證,您就可以在 Azure Stack Hub 部署中使用憑證,或將其用來進行 Azure Stack Hub 秘密輪替。Once your certificates are validated by the AzsReadinessChecker, you're ready to use them in your Azure Stack Hub deployment or for Azure Stack Hub secret rotation.

後續步驟Next steps

資料中心身分識別整合Datacenter identity integration