Add an application certificate to a Service Fabric cluster

This sample script walks through how to create a certificate in Key Vault and then deploy it to one of the virtual machine scale sets your cluster runs on. This scenario does not use Service Fabric directly, but rather depends on Key Vault and on virtual machine scale sets.

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. To get started, see Install Azure PowerShell. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

If needed, install the Azure PowerShell using the instruction found in the Azure PowerShell guide and then run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

Create a certificate in Key Vault

Connect-AzAccount -Environment AzureChinaCloud

$VaultName = ""
$CertName = ""
$SubjectName = "CN="

$policy = New-AzKeyVaultCertificatePolicy -SubjectName $SubjectName -IssuerName Self -ValidityInMonths 12
Add-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName -CertificatePolicy $policy

Or upload an existing certificate into Key Vault

$VaultName= ""
$CertName= ""
$CertPassword= ""
$PathToPFX= ""

$bytes = [System.IO.File]::ReadAllBytes($PathToPFX)
$base64 = [System.Convert]::ToBase64String($bytes)
$jsonBlob = @{
   data = $base64
   dataType = 'pfx'
   password = $CertPassword
   } | ConvertTo-Json
$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)

$SecretValue = ConvertTo-SecureString -String $content -AsPlainText -Force

# Upload the certificate to the key vault as a secret
$Secret = Set-AzKeyVaultSecret -VaultName $VaultName -Name $CertName -SecretValue $SecretValue

Update virtual machine scale sets profile with certificate

$ResourceGroupName = ""
$VMSSName = ""
$CertStore = "My" # Update this with the store you want your certificate placed in, this is LocalMachine\My

# If you have added your certificate to the keyvault certificates, use
$CertConfig = New-AzVmssVaultCertificateConfig -CertificateUrl (Get-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName).SecretId -CertificateStore $CertStore

# Otherwise, if you have added your certificate to the keyvault secrets, use
$CertConfig = New-AzVmssVaultCertificateConfig -CertificateUrl (Get-AzKeyVaultSecret -VaultName $VaultName -Name $CertName).Id -CertificateStore $CertStore

$VMSS = Get-AzVmss -ResourceGroupName $ResourceGroupName -VMScaleSetName $VMSSName

# If this KeyVault is already known by the virtual machine scale set, for example if the cluster certificate is deployed from this keyvault, use
$VMSS.virtualmachineprofile.osProfile.secrets[0].vaultCertificates.Add($CertConfig)

# Otherwise use
$VMSS = Add-AzVmssSecret -VirtualMachineScaleSet $VMSS -SourceVaultId (Get-AzKeyVault -VaultName $VaultName).ResourceId  -VaultCertificate $CertConfig

Update the virtual machine scale set

Update-AzVmss -ResourceGroupName $ResourceGroupName -VirtualMachineScaleSet $VMSS -VMScaleSetName $VMSSName

If you would like the certificate placed on multiple node types in your cluster, the second and third parts of this script should be repeated for each node type that should have the certificate.

Script explanation

This script uses the following commands: Each command in the table links to command specific documentation.

Command Notes
New-AzKeyVaultCertificatePolicy Creates an in-memory policy representing the certificate
Add-AzKeyVaultCertificate Deploys the policy to Key Vault Certificates
Set-AzKeyVaultSecret Deploys the policy to Key Vault Secrets
New-AzVmssVaultCertificateConfig Creates an in-memory config representing the certificate in a VM
Get-AzVmss
Add-AzVmssSecret Adds the certificate to the in-memory definition of the virtual machine scale set
Update-AzVmss Deploys the new definition of the virtual machine scale set

Next steps

For more information on the Azure PowerShell module, see Azure PowerShell documentation.

Additional Azure PowerShell samples for Azure Service Fabric can be found in the Azure PowerShell samples.