创建证书以允许 Azure 应用程序网关中的后端Create certificates to allow the backend with Azure Application Gateway

若要执行端到端 TLS,应用程序网关要求通过上传身份验证证书/受信任根证书来允许后端实例。To do end to end TLS, Application Gateway requires the backend instances to be allowed by uploading authentication/trusted root certificates. 允许使用证书时,对于 v1 SKU,身份验证证书是必需的,但对于 v2 SKU,受信任的根证书是必需的。For the v1 SKU, authentication certificates are required, but for the v2 SKU trusted root certificates are required to allow the certificates.

在本文中,学习如何:In this article, you learn how to:

  • 从后端证书中导出身份验证证书(对于 v1 SKU)Export authentication certificate from a backend certificate (for v1 SKU)
  • 从后端证书中导出受信任的根证书(适用于 v2 SKU)Export trusted root certificate from a backend certificate (for v2 SKU)

先决条件Prerequisites

若要允许应用程序网关中的后端实例,需要使用现有的后端证书来生成身份验证证书或受信任的根证书。An existing backend certificate is required to generate the authentication certificates or trusted root certificates required for allowing backend instances with Application Gateway. 后端证书可与 TLS/SSL 证书相同,为了提高安全性,两者也可以不同。The backend certificate can be the same as the TLS/SSL certificate or different for added security. 应用程序网关不会提供任何机制用于创建或购买 TLS/SSL 证书。Application Gateway doesn't provide you any mechanism to create or purchase an TLS/SSL certificate. 对于测试,可以创建自签名证书,但不应将其用于生产工作负荷。For testing purposes, you can create a self-signed certificate but you shouldn't use it for production workloads.

导出身份验证证书(对于 v1 SKU)Export authentication certificate (for v1 SKU)

需要使用一个身份验证证书来允许应用程序网关 v1 SKU 中的后端实例。An authentication certificate is required to allow backend instances in Application Gateway v1 SKU. 该身份验证证书是后端服务器证书的公钥,采用 Base-64 编码的 X.509(.CER) 格式。The authentication certificate is the public key of backend server certificates in Base-64 encoded X.509(.CER) format. 此示例使用 TLS/SSL 证书作为后端证书,并导出其公钥以用于身份验证认证。In this example, you'll use a TLS/SSL certificate for the backend certificate and export its public key to be used as authentication certification. 另外,此示例使用 Windows 证书管理器工具导出所需的证书。Also, in this example, you'll use the Windows Certificate Manager tool to export the required certificates. 你可以选择使用任何其他便利的工具。You can choose to use any other tool that is convenient.

从 TLS/SSL 证书中导出公钥 .cer 文件(不是私钥)。From your TLS/SSL certificate, export the public key .cer file (not the private key). 以下步骤可帮助你导出证书的 .cer 文件,其格式为 Base-64 编码的 X.509(.CER):The following steps help you export the .cer file in Base-64 encoded X.509(.CER) format for your certificate:

  1. 若要获取证书 .cer 文件,请打开“管理用户证书” 。To obtain a .cer file from the certificate, open Manage user certificates. 找到该证书(通常位于“证书 - 当前用户”>“个人”>“证书”中),并单击右键。Locate the certificate, typically in 'Certificates - Current User\Personal\Certificates', and right-click. 单击“所有任务” ,并单击“导出” 。Click All Tasks, and then click Export. 此操作将打开“证书导出向导” 。This opens the Certificate Export Wizard. 如果在 Current User\Personal\Certificates 下找不到证书,可能会意外地打开“Certificates - Local Computer”而不是“Certificates - Current User”)。If you can't find the certificate under Current User\Personal\Certificates, you may have accidentally opened "Certificates - Local Computer", rather than "Certificates - Current User"). 如果想要使用 PowerShell 在当前用户范围内打开证书管理程序,请在控制台窗口中键入“certmgr” 。If you want to open Certificate Manager in current user scope using PowerShell, you type certmgr in the console window.

    导出

  2. 在向导中,单击“下一步” 。In the Wizard, click Next.

    导出证书

  3. 选择“否,不导出私钥” ,并单击“下一步” 。Select No, do not export the private key, and then click Next.

    不要导出私钥

  4. 在“导出文件格式” 页上,选择“Base-64 编码的 X.509 (.CER)” ,并单击“下一步” 。On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.

    Base-64 编码

  5. 对于“要导出的文件” ,“浏览” 到要将证书导出的目标位置。For File to Export, Browse to the location to which you want to export the certificate. 在“文件名” 中,为证书文件命名。For File name, name the certificate file. 然后单击“下一步”。 Then, click Next.

    浏览

  6. 单击“完成” 导出证书。Click Finish to export the certificate.

    完成

  7. 证书已成功导出。Your certificate is successfully exported.

    Success

    导出的证书类似于以下内容:The exported certificate looks similar to this:

    已导出

  8. 如果使用记事本打开导出的证书,则会看到类似于此示例的一些内容。If you open the exported certificate using Notepad, you see something similar to this example. 蓝色部分包含已上传到应用程序网关的信息。The section in blue contains the information that is uploaded to application gateway. 如果使用记事本打开证书,并且内容不与此类似,则这通常意味着你没有使用 Base-64 编码的 X.509(.CER) 格式将其导出。If you open your certificate with Notepad and it doesn't look similar to this, typically this means you didn't export it using the Base-64 encoded X.509(.CER) format. 此外,如果希望使用其他文本编辑器,请注意,某些编辑器可能会在后台引入意外的格式设置。Additionally, if you want to use a different text editor, understand that some editors can introduce unintended formatting in the background. 将此证书中的文本上传到 Azure 时,这可能会产生问题。This can create problems when uploaded the text from this certificate to Azure.

    使用记事本打开

导出受信任的根证书(适用于 v2 SKU)Export trusted root certificate (for v2 SKU)

必须使用受信任的根证书将应用程序网关 v2 SKU 中的后端实例加入允许列表。Trusted root certificate is required to whitelist backend instances in application gateway v2 SKU. 此根证书是来自后端服务器证书的 Base-64 编码的 X.509(.CER) 格式根证书。The root certificate is a Base-64 encoded X.509(.CER) format root certificate from the backend server certificates. 在此示例中,我们将使用 TLS/SSL 证书作为后端证书,并导出其公钥,然后从 base64 编码格式的公钥中导出受信任 CA 的根证书,以便获取受信任的根证书。In this example, we will use a TLS/SSL certificate for the backend certificate, export its public key and then export the root certificate of the trusted CA from the public key in base64 encoded format to get the trusted root certificate. 中间证书应该与服务器证书捆绑并安装在后端服务器上。The intermediate certificate(s) should be bundled with server certificate and installed on the backend server.

以下步骤用于导出证书的 .cer 文件:The following steps help you export the .cer file for your certificate:

  1. 使用上面的“从后端证书中导出身份验证证书(适用于 v1 SKU)” 部分提到的步骤 1-9,从后端证书导出公钥。Use the steps 1-9 mentioned in the section Export authentication certificate from a backend certificate (for v1 SKU) above to export the public key from your backend certificate.

  2. 导出公钥后,打开该文件。Once the public key has been exported, open the file.

    开放授权证书

    关于证书

  3. 转到“证书路径”视图即可查看证书颁发机构。Move to the Certification Path view to view the certification authority.

    证书详细信息

  4. 选择根证书,然后单击“查看证书” 。Select the root certificate and click on View Certificate.

    证书路径

    应该会看到根证书详细信息。You should see the root certificate details.

    证书信息

  5. 转到“详细信息”视图,然后单击“复制到文件...”。 Move to the Details view and click Copy to File...

    复制根证书

  6. 目前,你已从后端证书提取根证书的详细信息。At this point, you've extracted the details of the root certificate from the backend certificate. 此时会看到“证书导出向导”。 You'll see the Certificate Export Wizard. 现在,使用上面的“从后端证书中导出身份验证证书(适用于 v1 SKU)” 部分提到的步骤 2-9,导出 Base-64 编码的 X.509(.CER) 格式的受信任根证书。Now use steps 2-9 mentioned in the section Export authentication certificate from a backend certificate (for v1 SKU) above to export the trusted root certificate in the Base-64 encoded X.509(.CER) format.

后续步骤Next steps

现已创建采用 Base-64 编码的 X.509(.CER) 格式身份验证证书/受信任的根证书。Now you have the authentication certificate/trusted root certificate in Base-64 encoded X.509(.CER) format. 可将此证书添加到应用程序网关,以便将后端服务器加入允许列表进行端到端 TLS 加密。You can add this to the application gateway to whitelist your backend servers for end to end TLS encryption. 请参阅使用 PowerShell 通过应用程序网关配置端到端 TLSSee Configure end to end TLS by using Application Gateway with PowerShell.