证书和应用服务环境Certificates and the App Service Environment

应用服务环境 (ASE) 是在 Azure 虚拟网络 (VNet) 中运行的 Azure 应用服务的部署。The App Service Environment(ASE) is a deployment of the Azure App Service that runs within your Azure Virtual Network(VNet). 可以使用能够通过 Internet 访问的应用程序终结点或者 VNet 中的应用程序终结点来部署 ASE。It can be deployed with an internet accessible application endpoint or an application endpoint that is in your VNet. 如果使用可通过 Internet 访问的终结点部署 ASE,则该部署称为外部 ASE。If you deploy the ASE with an internet accessible endpoint, that deployment is called an External ASE. 如果使用 VNet 中的终结点部署 ASE,则该部署称为 ILB ASE。If you deploy the ASE with an endpoint in your VNet, that deployment is called an ILB ASE. 可以在创建和使用 ILB ASE 文档中详细了解 ILB ASE。You can learn more about the ILB ASE from the Create and use an ILB ASE document.

ASE 是单租户系统。The ASE is a single tenant system. 由于它是单一租户,某些只能在 ASE 中使用的功能不能在多租户应用服务中使用。Because it is single tenant, there are some features available only with an ASE that are not available in the multi-tenant App Service.

ILB ASE 证书ILB ASE certificates

如果使用外部 ASE,则可以通过 [应用名称].[ASE 名称].p.chinacloudsites.cn 访问应用。If you are using an External ASE, then your apps are reached at [appname].[asename].p.chinacloudsites.cn. 默认情况下,所有 ASE 甚至 ILB ASE,都是使用遵循该格式的证书创建的。By default all ASEs, even ILB ASEs, are created with certificates that follow that format. 创建 ILB ASE 后,可以基于创建 ILB ASE 时指定的域名来访问应用。When you have an ILB ASE, the apps are reached based on the domain name that you specify when creating the ILB ASE. 为使应用支持 SSL,需要上传证书。In order for the apps to support SSL, you need to upload certificates. 可通过三种方式获取有效的 SSL 证书:使用内部证书颁发机构、向外部颁发者购买证书或使用自签名证书。Obtain a valid SSL certificate by using internal certificate authorities, purchasing a certificate from an external issuer, or using a self-signed certificate.

可以使用两个选项配置 ILB ASE 的证书。There are two options for configuring certificates with your ILB ASE. 可为 ILB ASE 设置通配符默认证书,或者在 ASE 中的单个 Web 应用上设置证书。You can set a wildcard default certificate for the ILB ASE or set certificates on the individual web apps in the ASE. 无论做出哪种选择,都必须正确配置以下证书属性:Regardless of the choice you make, the following certificate attributes must be configured properly:

  • 使用者: 对于通配符 ILB ASE 证书,此属性必须设置为 *.[根域]。Subject: This attribute must be set to *.[your-root-domain-here] for a wildcard ILB ASE certificate. 如果为应用创建证书,则此属性应是 [应用名称].[根域]If creating the certificate for your app, then it should be [appname].[your-root-domain-here]
  • 使用者可选名称: 此属性必须同时包括通配符 ILB ASE 证书的 *.[根域] 和 *.scm.[根域]。Subject Alternative Name: This attribute must include both *.[your-root-domain-here] and *.scm.[your-root-domain-here] for the wildcard ILB ASE certificate. 如果为应用创建证书,则此属性应是 [应用名称].[根域] 和 [应用名称].scm.[根域]If creating the certificate for your app, then it should be [appname].[your-root-domain-here] and [appname].scm.[your-root-domain-here].

作为第三种变体,可以创建在证书 SAN 中包含所有应用名称的 ILB ASE 证书,而不使用通配符引用。As a third variant, you can create an ILB ASE certificate that includes all of your individual app names in the SAN of the certificate instead of using a wildcard reference. 此方法的问题在于,需要事先知道要放入 ASE 的应用名称,或者需要不断更新 ILB ASE 证书。The problem with this method is that you need to know up front the names of the apps that you are putting in the ASE or you need to keep updating the ILB ASE certificate.

将证书上传到 ILB ASEUpload certificate to ILB ASE

在门户中创建 ILB ASE 之后,必须为 ILB ASE 设置证书。After an ILB ASE is created in the portal, the certificate must be set for the ILB ASE. 在设置证书之前,ASE 将显示一个横幅,指出未设置证书。Until the certificate is set, the ASE will show a banner that the certificate was not set.

上传的证书必须是 .pfx 文件。The certificate that you upload must be a .pfx file. 上传证书后,ASE 将执行缩放操作以设置证书。After the certificate is uploaded, the ASE will perform a scale operation to set the certificate.

无法在门户中一次性创建 ASE 并上传证书,即使在一个模板中也无法做到这一点。You cannot create the ASE and upload the certificate as one action in the portal or even in one template. 作为单独的操作,可以使用从模板创建 ASE 文档中所述的模板上传证书。As a separate action, you can upload the certificate using a template as described in the Create an ASE from a template document.

若要快速创建自签名证书用于测试,可以使用以下 PowerShell 代码:If you want to create a self signed certificate quickly for testing, you can use the following bit of PowerShell:

$certificate = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "*.internal-contoso.com","*.scm.internal-contoso.com"

$certThumbprint = "cert:\localMachine\my\" + $certificate.Thumbprint
$password = ConvertTo-SecureString -String "CHANGETHISPASSWORD" -Force -AsPlainText

$fileName = "exportedcert.pfx"
Export-PfxCertificate -cert $certThumbprint -FilePath $fileName -Password $password

创建自签名证书时,需确保使用者名称的格式为 CN={ASE_NAME_HERE}_InternalLoadBalancingASE。When creating a self signed cert, you will need to ensure the subject name has the format of CN={ASE_NAME_HERE}_InternalLoadBalancingASE.

应用程序证书Application certificates

在 ASE 中托管的应用可以使用多租户应用服务支持的以应用为中心的证书功能。Apps that are hosted in an ASE can use the app-centric certificate features that are available in the multi-tenant App Service. 这些功能包括:Those features include:

  • SNI 证书SNI certificates
  • 基于 IP 的 SSL,仅在外部 ASE 中受支持。IP-based SSL, which is only supported with an External ASE. ILB ASE 不支持基于 IP 的 SSL。An ILB ASE does not support IP-based SSL.
  • KeyVault 托管的证书KeyVault hosted certificates

在 Azure 应用服务中添加 TLS/SSL 证书中提供了有关上传和管理这些证书的说明。The instructions for uploading and managing those certificates are available in Add a TLS/SSL certificate in Azure App Service. 如果只需将证书配置为与分配到 Web 应用的自定义域名相匹配,则遵照这些说明操作即可。If you are simply configuring certificates to match a custom domain name that you have assigned to your web app, then those instructions will suffice. 若要上传使用默认域名的 ILB ASE Web 应用的证书,则需要根据前文所述,在证书的 SAN 中指定 scm 站点。If you are uploading the certificate for an ILB ASE web app with the default domain name, then specify the scm site in the SAN of the certificate as noted earlier.

TLS 设置TLS settings

可在应用级别配置 TLS 设置。You can configure the TLS setting at an app level.

专用客户端证书Private client certificate

一个常见用例是将应用配置为客户端-服务器模型中的客户端。A common use case is to configure your app as a client in a client-server model. 如果使用专用 CA 证书保护服务器,则需要将客户端证书上传到应用。If you secure your server with a private CA certificate, you will need to upload the client certificate to your app. 以下说明介绍如何将证书加载到运行应用的辅助角色的信任存储中。The following instructions will load certificates to the truststore of the workers that your app is running on. 如果将证书加载到一个应用,则可以将其用于同一应用服务计划中的其他应用,而无需再次上传该证书。If you load the certificate to one app, you can use it with your other apps in the same App Service plan without uploading the certificate again.

将证书上传到 ASE 中的应用:To upload the certificate to your app in your ASE:

  1. 生成证书的 .cer 文件。Generate a .cer file for your certificate.

  2. 在 Azure 门户中转到需要该证书的应用Go to the app that needs the certificate in the Azure portal

  3. 转到该应用中的 SSL 设置。Go to SSL settings in the app. 单击“上传证书”。Click Upload Certificate. 选择“公共”。Select Public. 选择“本地计算机”。Select Local Machine. 提供一个名称。Provide a name. 浏览并选择你的 .cer 文件。Browse and select your .cer file. 选择“上传”。Select upload.

  4. 复制指纹。Copy the thumbprint.

  5. 转到“应用程序设置”。Go to Application Settings. 创建应用设置 WEBSITE_LOAD_ROOT_CERTIFICATES,并使用指纹作为值。Create an App Setting WEBSITE_LOAD_ROOT_CERTIFICATES with the thumbprint as the value. 如果有多个证书,可将其放到同一个设置中,并用逗号分隔(不要包含空格),例如If you have multiple certificates, you can put them in the same setting separated by commas and no whitespace like

    84EC242A4EC7957817B8E48913E50953552DAFA6,6A5C65DC9247F762FE17BF8D4906E04FE6B3181984EC242A4EC7957817B8E48913E50953552DAFA6,6A5C65DC9247F762FE17BF8D4906E04FE6B31819

配置了该设置的应用所在的同一个应用服务计划中的所有应用都可以使用该证书。The certificate will be available by all the apps in the same app service plan as the app, which configured that setting. 如果需要将该证书提供给不同应用服务计划中的应用使用,则需要在该应用服务计划中的应用上重复“应用设置”操作。If you need it to be available for apps in a different App Service plan, you will need to repeat the App Setting operation in an app in that App Service plan. 若要检查是否设置了证书,请转到 Kudu 控制台,并在 PowerShell 调试控制台中发出以下命令:To check that the certificate is set, go to the Kudu console and issue the following command in the PowerShell debug console:

dir cert:\localmachine\root

若要执行测试,可以创建自签名证书,并使用以下 PowerShell 命令生成 .cer 文件:To perform testing, you can create a self signed certificate and generate a .cer file with the following PowerShell:

$certificate = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "*.internal-contoso.com","*.scm.internal-contoso.com"

$certThumbprint = "cert:\localMachine\my\" + $certificate.Thumbprint
$password = ConvertTo-SecureString -String "CHANGETHISPASSWORD" -Force -AsPlainText

$fileName = "exportedcert.cer"
export-certificate -Cert $certThumbprint -FilePath $fileName -Type CERT