Add an application certificate to a Service Fabric cluster
This sample script walks through how to create a certificate in Key Vault and then deploy it to one of the virtual machine scale sets your cluster runs on. This scenario does not use Service Fabric directly, but rather depends on Key Vault and on virtual machine scale sets.
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
If needed, install the Azure PowerShell using the instruction found in the Azure PowerShell guide and then run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.
Create a certificate in Key Vault
Connect-AzAccount -Environment AzureChinaCloud
$VaultName = ""
$CertName = ""
$SubjectName = "CN="
$policy = New-AzKeyVaultCertificatePolicy -SubjectName $SubjectName -IssuerName Self -ValidityInMonths 12
Add-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName -CertificatePolicy $policy
Or upload an existing certificate into Key Vault
$VaultName= ""
$CertName= ""
$CertPassword= ""
$PathToPFX= ""
$bytes = [System.IO.File]::ReadAllBytes($PathToPFX)
$base64 = [System.Convert]::ToBase64String($bytes)
$jsonBlob = @{
data = $base64
dataType = 'pfx'
password = $CertPassword
} | ConvertTo-Json
$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)
$SecretValue = ConvertTo-SecureString -String $content -AsPlainText -Force
# Upload the certificate to the key vault as a secret
$Secret = Set-AzKeyVaultSecret -VaultName $VaultName -Name $CertName -SecretValue $SecretValue
Update virtual machine scale sets profile with certificate
$ResourceGroupName = ""
$VMSSName = ""
$CertStore = "My" # Update this with the store you want your certificate placed in, this is LocalMachine\My
# If you have added your certificate to the keyvault certificates, use
$CertConfig = New-AzVmssVaultCertificateConfig -CertificateUrl (Get-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName).SecretId -CertificateStore $CertStore
# Otherwise, if you have added your certificate to the keyvault secrets, use
$CertConfig = New-AzVmssVaultCertificateConfig -CertificateUrl (Get-AzKeyVaultSecret -VaultName $VaultName -Name $CertName).Id -CertificateStore $CertStore
$VMSS = Get-AzVmss -ResourceGroupName $ResourceGroupName -VMScaleSetName $VMSSName
# If this KeyVault is already known by the virtual machine scale set, for example if the cluster certificate is deployed from this keyvault, use
$VMSS.virtualmachineprofile.osProfile.secrets[0].vaultCertificates.Add($CertConfig)
# Otherwise use
$VMSS = Add-AzVmssSecret -VirtualMachineScaleSet $VMSS -SourceVaultId (Get-AzKeyVault -VaultName $VaultName).ResourceId -VaultCertificate $CertConfig
Update the virtual machine scale set
Update-AzVmss -ResourceGroupName $ResourceGroupName -VirtualMachineScaleSet $VMSS -VMScaleSetName $VMSSName
If you would like the certificate placed on multiple node types in your cluster, the second and third parts of this script should be repeated for each node type that should have the certificate.
Script explanation
This script uses the following commands: Each command in the table links to command specific documentation.
| Command | Notes |
|---|---|
| New-AzKeyVaultCertificatePolicy | Creates an in-memory policy representing the certificate |
| Add-AzKeyVaultCertificate | Deploys the policy to Key Vault Certificates |
| Set-AzKeyVaultSecret | Deploys the policy to Key Vault Secrets |
| New-AzVmssVaultCertificateConfig | Creates an in-memory config representing the certificate in a VM |
| Get-AzVmss | |
| Add-AzVmssSecret | Adds the certificate to the in-memory definition of the virtual machine scale set |
| Update-AzVmss | Deploys the new definition of the virtual machine scale set |
Next steps
For more information on the Azure PowerShell module, see Azure PowerShell documentation.
Additional Azure PowerShell samples for Azure Service Fabric can be found in the Azure PowerShell samples.