Microsoft Azure Stack Hub has a public infrastructure network that
contains the externally accessible or public IP addresses that are assigned to
a small set of Azure Stack Hub services, with the remainder used by the tenant
VMs. Provide certificates with the appropriate DNS names for these Azure Stack
Hub public infrastructure endpoints.
There are some certificate restrictions in the current Azure Stack Hub
version. The certificate requirements for deploying Azure Stack Hub are:
Certificates must be issued
from either an internal certificate authority or a public certificate
authority. If a public certificate authority is used, it must be included in
the base operating-system image as part of the Microsoft Trusted Root Authority
Program. For the full list, see TechNet
Microsoft Trusted Root Certificate Program:
Participants.
Your Azure Stack Hub
infrastructure must have network access to the certificate authority
Certificate Revocation List (CRL) location published in the certificate. This
CRL must be an HTTP endpoint.
When you rotate
certificates, certificates must be either issued from the same internal
certificate authority that is used to sign certificates that are provided at
deployment or any public certificate authority from the CRL.
The certificate can be a
single wildcard certificate covering all name spaces in the Subject Alternative
Name (SAN) field. Alternatively, you can use individual certificates using
wildcards for endpoints, such as ACS and Key Vault, where they are required.
The certificate signature
algorithm cannot be SHA1; it must be stronger.
The certificate format must
be PFX, because both the public and private keys are required for an Azure
Stack Hub installation.
The certificate PFX files
must have the values
Digital Signature and
KeyEncipherment in the
Key Usage field.
The certificate PFX files
must have the values
Server Authentication (1.3.6.1.5.5.7.3.1) and
Client Authentication (1.3.6.1.5.5.7.3.2) in the
Enhanced Key Usage field.
The certificate
Issued to: field must not be the same as its
Issued by: field.
The passwords to all
certificate PFX files must be the same at the time of deployment.
The password for the
certificate PFX must be a complex password.
The subject names and
subject alternative names in the SAN extension (x509v3_config) must match. The
subject alternative names field enables you to
specify additional host names (websites, IP addresses, common names) that are
to be protected by a single SSL certificate.
NOTE: The use of self-signed certificates is not supported. Instead, the
presence of intermediary certificate authorities in a certificate
chain-of-trust is supported.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\