Azure 雲端服務的憑證概觀Certificates overview for Azure Cloud Services

在 Azure 中,憑證用於雲端服務 (服務憑證) 與驗證管理 API (管理憑證)。Certificates are used in Azure for cloud services (service certificates) and for authenticating with the management API (management certificates). 本主題提供兩種憑證類型、如何建立這些憑證類型,以及如何將其部署到 Azure 的一般概觀。This topic gives a general overview of both certificate types, how to create and deploy them to Azure.

在 Azure 中使用的憑證是 x.509 v3 憑證,而且可以由其他受信任的憑證簽署,或者可以自我簽署。Certificates used in Azure are x.509 v3 certificates and can be signed by another trusted certificate or they can be self-signed. 自我簽署的憑證是由自己的建立者簽署,因此預設不受到信任。A self-signed certificate is signed by its own creator, therefore it is not trusted by default. 大部分的瀏覽器都可以忽略這個問題。Most browsers can ignore this problem. 您應該僅在開發和測試雲端服務時使用自我簽署的憑證。You should only use self-signed certificates when developing and testing your cloud services.

Azure 所使用的憑證可以包含私密或公開金鑰。Certificates used by Azure can contain a private or a public key. 憑證具有指紋,可以明確的方式提供識別它們的方法。Certificates have a thumbprint that provides a means to identify them in an unambiguous way. 這個指紋用於 Azure 組態檔 中,以識別雲端服務應該使用哪個憑證。This thumbprint is used in the Azure configuration file to identify which certificate a cloud service should use.

注意

Azure 雲端服務不接受 AES256-SHA256 加密的憑證。Azure Cloud Services does not accept AES256-SHA256 encrypted certificate.

什麼是服務憑證?What are service certificates?

服務憑證會附加至雲端服務,並啟用進出服務的安全通訊。Service certificates are attached to cloud services and enable secure communication to and from the service. 例如,如果您部署了一個 Web 角色,您會想要提供可以驗證公開的 HTTPS 端點的憑證。For example, if you deployed a web role, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint. 在服務定義中定義的服務憑證會自動部署至執行您角色的執行個體的虛擬機器。Service certificates, defined in your service definition, are automatically deployed to the virtual machine that is running an instance of your role.

您可以使用 Azure 入口網站或者傳統部署模型,將服務憑證上傳至 Azure。You can upload service certificates to Azure either using the Azure portal or by using the classic deployment model. 服務憑證是與特定的雲端服務相關聯。Service certificates are associated with a specific cloud service. 它們指派給服務定義檔中的部署。They are assigned to a deployment in the service definition file.

服務憑證可以與您的服務分開管理,而且可以由不同的人員管理。Service certificates can be managed separately from your services, and may be managed by different individuals. 例如,開發人員所上傳的服務封裝,指的可能是 IT 管理員先前上傳至 Azure 的憑證。For example, a developer may upload a service package that refers to a certificate that an IT manager has previously uploaded to Azure. IT 管理員可以管理和更新該憑證 (變更服務的組態),而不需要上傳新的服務套件。An IT manager can manage and renew that certificate (changing the configuration of the service) without needing to upload a new service package. 不使用新的服務套件進行更新是可行的,因為憑證的邏輯名稱、存放區名稱及位置是在服務定義檔中指定,而憑證指紋是在服務組態檔中指定。Updating without a new service package is possible because the logical name, store name, and location of the certificate is in the service definition file and while the certificate thumbprint is specified in the service configuration file. 若要更新憑證,只需要上傳新憑證,並變更服務組態檔中的憑證指紋值即可。To update the certificate, it's only necessary to upload a new certificate and change the thumbprint value in the service configuration file.

注意

雲端服務常見問題-設定和管理一文中有一些有關憑證的實用資訊。The Cloud Services FAQ - Configuration and Management article has some helpful information about certificates.

什麼是管理憑證?What are management certificates?

管理憑證可讓您使用傳統部署模型進行驗證。Management certificates allow you to authenticate with the classic deployment model. 許多程式和工具 (例如 Visual Studio 或 Azure SDK) 會使用這些憑證,將各種 Azure 服務的設定與部署自動化。Many programs and tools (such as Visual Studio or the Azure SDK) use these certificates to automate configuration and deployment of various Azure services. 這些並不是真的與雲端服務相關。These are not really related to cloud services.

警告

請務必小心!Be careful! 這些憑證類型允許使用它們進行驗證的任何人管理與他們相關聯的訂用帳戶。These types of certificates allow anyone who authenticates with them to manage the subscription they are associated with.

限制Limitations

每個訂用帳戶有 100 個管理憑證的限制。There is a limit of 100 management certificates per subscription. 此外,在特定服務管理員的使用者識別碼底下的所有訂用帳戶也有 100 個管理憑證的限制。There is also a limit of 100 management certificates for all subscriptions under a specific service administrator’s user ID. 如果帳戶系統管理員的使用者識別碼已經用來加入 100 個管理憑證,而且還需要有更多憑證,您可以新增共同管理員來加入其他憑證。If the user ID for the account administrator has already been used to add 100 management certificates and there is a need for more certificates, you can add a co-administrator to add the additional certificates.

建立新的自我簽署憑證Create a new self-signed certificate

您可以使用任何可用的工具建立自我簽署的憑證,前提是,這些憑證遵守以下設定:You can use any tool available to create a self-signed certificate as long as they adhere to these settings:

  • X.509 憑證。An X.509 certificate.

  • 包含一個私密金鑰。Contains a private key.

  • 針對金鑰交換 (.pfx 檔案) 而建立。Created for key exchange (.pfx file).

  • 主體名稱必須符合用來存取雲端服務的網域。Subject name must match the domain used to access the cloud service.

    您無法取得 cloudapp.net 網域 (或針對任何 Azure 相關網域) 的 SSL 憑證;憑證的主體名稱必須符合用來存取應用程式的自訂網域名稱。You cannot acquire an SSL certificate for the cloudapp.net (or for any Azure-related) domain; the certificate's subject name must match the custom domain name used to access your application. 例如,contoso.net,而非 contoso.cloudapp.netFor example, contoso.net, not contoso.cloudapp.net.

  • 至少為 2048 位元加密。Minimum of 2048-bit encryption.

  • 僅限服務憑證:用戶端憑證必須位於「個人」憑證存放區。Service Certificate Only: Client-side certificate must reside in the Personal certificate store.

在 Windows 上建立憑證有兩個簡單的方法:使用 makecert.exe 公用程式或 IIS。There are two easy ways to create a certificate on Windows, with the makecert.exe utility, or IIS.

Makecert.exeMakecert.exe

此公用程式已被取代,此處不再說明。This utility has been deprecated and is no longer documented here. 如需詳細資訊,請參閱此 MSDN 文章For more information, see this MSDN article.

PowerShellPowerShell

$cert = New-SelfSignedCertificate -DnsName yourdomain.cloudapp.net -CertStoreLocation "cert:\LocalMachine\My" -KeyLength 2048 -KeySpec "KeyExchange"
$password = ConvertTo-SecureString -String "your-password" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath ".\my-cert-file.pfx" -Password $password

注意

如果您想要搭配 IP 位址 (而不是網域) 來使用憑證,請在 -DnsName 參數中使用 IP 位址。If you want to use the certificate with an IP address instead of a domain, use the IP address in the -DnsName parameter.

如果您想要使用這個 憑證搭配管理入口網站,請將它匯出至 .cer 檔案:If you want to use this certificate with the management portal, export it to a .cer file:

Export-Certificate -Type CERT -Cert $cert -FilePath .\my-cert-file.cer

網際網路資訊服務 (IIS)Internet Information Services (IIS)

在網際網路上有許多涵蓋如何使用 IIS 執行這項操作的網頁。There are many pages on the internet that cover how to do this with IIS. 這裡 是我找到的其中一個我認為說明得很好的網頁。Here is a great one I found that I think explains it well.

LinuxLinux

本文說明如何使用 SSH 建立憑證。This article describes how to create certificates with SSH.

後續步驟Next steps

將服務憑證上傳到 Azure 入口網站Upload your service certificate to the Azure portal.

管理 API 憑證上傳至 Azure 入口網站。Upload a management API certificate to the Azure portal.