The following table describes the Microsoft Azure Stack Hub public
endpoint PKI certificates that are required for both AAD and ADFS Azure Stack
Hub deployments. Certificate requirements are grouped by area, namespaces used,
and the certificates that are required for each namespace. The table also
describes the folder in which your solution provider copies the different
certificates per public endpoint.
Use certificates with the appropriate DNS names for each Azure Stack Hub
public infrastructure endpoint. Each endpoint DNS name is expressed in the
following format: <prefix>.<region>.<fqdn>.
For your deployment, the [region] and [externalfqdn] values must match
the region and external domain names that you choose for your Azure Stack Hub
system. For example, if the region name is “Redmond” and the external domain
name is “company.com”, the DNS names have the format
<prefix>.redmond.company.com. Microsoft predesignates the
<prefix> values to describe the endpoint that is secured by
the certificate. Also, the <prefix> values of the external
infrastructure endpoints depend on the Azure Stack Hub service that uses the
specific endpoint.
NOTE: You can provide certificates as single wildcard certificates
covering all name spaces in the Subject and SAN fields that are copied into all
directories. You can also provide certificates as individual certificates for
each endpoint copied into the corresponding directory. Both options require
that you use wildcard certificates for endpoints, such as ACS and Key Vault,
where they are required.
For Azure Stack Hub environments on pre-1803 release versions, see the
following table. If you deploy Azure Stack Hub using the AAD deployment mode,
you only need to request the certificates listed.
One multi-subdomain wildcard certificate with Subject
Alternative names for:
*.blob.<region>.<fqdn>
*.queue.<region>.<fqdn>
*.table.<region>.<fqdn>
Storage
blob.<region>.<fqdn>
table.<region>.<fqdn>
queue.<region>.<fqdn>
KeyVault
*.vault.<region>.<fqdn>
(Wildcard SSL Certificate)
Key Vault
vault.<region>.<fqdn>
KeyVaultInternal
*.adminvault.<region>.<fqdn>
(Wildcard SSL Certificate)
Internal Keyvault
adminvault.<region>.<fqdn>
NOTE: The ACS certificate requires three wildcard SANs on a single
certificate. Not all Public Certificate Authorities support multiple wildcard
SANs on a single certificate.
However, if you deploy Azure Stack Hub using the ADFS deployment mode,
you must also request the certificates that are described in the following
table.