- Notes, cautions, and warnings
- Executive summary
- Solution Overview
- Prerequisites
- Environmental requirements
- Power distribution unit (PDU) power-drop requirements
- Azure connection, identity store, and billing-model decisions
- Choosing connection options and identity store
- Features that are impaired or unavailable in disconnected mode
- Required customer-provided security certificates
- Mandatory certificates
- Optional PaaS certificates
- Certificate requirements and validation
- License requirements
- Azure Stack Hub endpoints and customer port requirements
- Hardware Infrastructure
- Hardware components
- Overview
- PowerEdge R840 server for dense and GPU scale units
- PowerEdge R740xd server for hybrid scale units
- PowerEdge R640 server for HLH and all-flash scale units (GPU support)
- PowerSwitch N3248TE-ON management switch
- PowerSwitch S5248F-ON ToR switch
- Cisco Nexus 93180YC-FX switch
- Cisco Nexus 9348GC-FXP switch
- Switch dimensions
- Dell Integrated System factory-rack dimensions
- Rail kit information
- Dense scale unit configuration
- Hybrid scale-unit configuration
- All-flash scale-unit configuration
- All-flash tactical configuration
- Hardware components
- Networking and Cabling
- Operations and Management Software
- Security
- Maintaining the Solution
- Backup and Recovery
- Conclusion
- License Retrieval
- Dell Technologies Support and Consulting Offerings
Dell Integrated System for Microsoft Azure Stack Hub Tech Book
Mandatory certificates
The following table describes the Microsoft Azure Stack Hub public endpoint PKI certificates that are required for both AAD and ADFS Azure Stack Hub deployments. Certificate requirements are grouped by area, namespaces used, and the certificates that are required for each namespace. The table also describes the folder in which your solution provider copies the different certificates per public endpoint.
| Deployment folder | Required certificate subject and SAN |
Scope (per region) |
Subdomain namespace |
| Public Portal | portal.<region>.<fqdn> | Portals | <region>.<fqdn> |
| Admin Portal | adminportal.<region>.<fqdn> | Portals | <region>.<fqdn> |
| Azure Resource Manager Public | management.<region>.<fqdn> | Azure Resource Manager | <region>.<fqdn> |
| Azure Resource Manager Admin | adminmanagement.<region>.<fqdn> | Azure Resource Manager | <region>.<fqdn> |
| ACSBlob |
*.blob.<region>.<fqdn> (Wildcard SSL Certificate) |
Blob Storage | blob.<region>.<fqdn> |
| ACSTable |
*.table.<region>.<fqdn> (Wildcard SSL Certificate) |
Table Storage | table.<region>.<fqdn> |
| ACSQueue |
*.queue.<region>.<fqdn> (Wildcard SSL Certificate) |
Queue Storage | queue.<region>.<fqdn> |
| KeyVault |
*.vault.<region>.<fqdn> (Wildcard SSL Certificate) |
Key Vault | vault.<region>.<fqdn> |
| KeyVaultInternal |
*.adminvault.<region>.<fqdn> (Wildcard SSL Certificate) |
Internal Keyvault | adminvault.<region>.<fqdn> |
| Extension Host |
*.hosting.<region>.<fqdn> (Wildcard SSL Certificates) |
Extension Host | hosting.<region>.<fqdn> |
|
*.adminhosting.<region>.<fqdn> (Wildcard SSL Certificates) |
Extension Host | adminhosting. <region>.<fqdn> |
Use certificates with the appropriate DNS names for each Azure Stack Hub public infrastructure endpoint. Each endpoint DNS name is expressed in the following format: <prefix>.<region>.<fqdn>.
For your deployment, the [region] and [externalfqdn] values must match the region and external domain names that you choose for your Azure Stack Hub system. For example, if the region name is “Redmond” and the external domain name is “company.com”, the DNS names have the format <prefix>.redmond.company.com. Microsoft predesignates the <prefix> values to describe the endpoint that is secured by the certificate. Also, the <prefix> values of the external infrastructure endpoints depend on the Azure Stack Hub service that uses the specific endpoint.
NOTE: You can provide certificates as single wildcard certificates
covering all name spaces in the Subject and SAN fields that are copied into all
directories. You can also provide certificates as individual certificates for
each endpoint copied into the corresponding directory. Both options require
that you use wildcard certificates for endpoints, such as ACS and Key Vault,
where they are required.
For Azure Stack Hub environments on pre-1803 release versions, see the following table. If you deploy Azure Stack Hub using the AAD deployment mode, you only need to request the certificates listed.
| Deployment folder | Required certificate subject and SAN | Scope (per region) | Subdomain namespace |
| Public Portal | portal.<region>.<fqdn> | Portals | <region>.<fqdn> |
| Admin Portal | adminportal.<region>.<fqdn> | Portals | <region>.<fqdn> |
| Azure Resource Manager Public | management.<region>.<fqdn> | Azure Resource Manager | <region>.<fqdn> |
| Azure Resource Manager Admin | adminmanagement.<region>.<fqdn> | Azure Resource Manager | <region>.<fqdn> |
| ACS |
One multi-subdomain wildcard certificate with Subject Alternative names for: *.blob.<region>.<fqdn> *.queue.<region>.<fqdn> *.table.<region>.<fqdn> |
Storage |
blob.<region>.<fqdn> table.<region>.<fqdn> queue.<region>.<fqdn> |
| KeyVault |
*.vault.<region>.<fqdn> (Wildcard SSL Certificate) |
Key Vault | vault.<region>.<fqdn> |
| KeyVaultInternal |
*.adminvault.<region>.<fqdn> (Wildcard SSL Certificate) |
Internal Keyvault | adminvault.<region>.<fqdn> |
NOTE: The ACS certificate requires three wildcard SANs on a single
certificate. Not all Public Certificate Authorities support multiple wildcard
SANs on a single certificate.
However, if you deploy Azure Stack Hub using the ADFS deployment mode, you must also request the certificates that are described in the following table.
| Deployment folder | Required certificate subject and SAN | Scope (per region) | Subdomain namespace |
| ADFS |
adfs.<region>.<fqdn> (SSL Certificate) |
ADFS | <region>.<fqdn> |
| Graph |
graph.<region>.<fqdn> (SSL Certificate) |
Graph | <region>.<fqdn> |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\