使用自定义根 CA 生成 Azure 应用程序网关自签名证书Generate an Azure Application Gateway self-signed certificate with a custom root CA

应用程序网关 v2 SKU 介绍了如何使用受信任的根证书以允许后端服务器。The Application Gateway v2 SKU introduces the use of Trusted Root Certificates to allow backend servers. 这会删除 v1 SKU 中所需的身份验证证书。This removes authentication certificates that were required in the v1 SKU. 根证书是来自后端证书服务器的 Base-64 编码的 X.509(.CER) 格式根证书。The root certificate is a Base-64 encoded X.509(.CER) format root certificate from the backend certificate server. 它标识颁发服务器证书的根证书颁发机构 (CA),服务器证书随后将用于 TLS/SSL 通信。It identifies the root certificate authority (CA) that issued the server certificate and the server certificate is then used for the TLS/SSL communication.

如果你网站的证书是由知名 CA(例如 GoDaddy 或 DigiCert)签名的,则默认情况下,应用程序网关将信任该证书。Application Gateway trusts your website's certificate by default if it's signed by a well-known CA (for example, GoDaddy or DigiCert). 在这种情况下,不需要显式上传根证书。You don't need to explicitly upload the root certificate in that case. 有关详细信息,请参阅应用程序网关的 TLS 终止和端到端 TLS 概述For more information, see Overview of TLS termination and end to end TLS with Application Gateway. 但如果你已有开发/测试环境,并且不想购买由已验证的 CA 签名的证书,则可以创建自己的自定义 CA,然后使用该 CA 创建自签名证书。However, if you have a dev/test environment and don't want to purchase a verified CA signed certificate, you can create your own custom CA and create a self-signed certificate with it.


自签名证书默认不受信任,并且可能难以维护。Self-signed certificates are not trusted by default and they can be difficult to maintain. 另外,它们可能使用过时的哈希以及不够可靠的加密套件。Also, they may use outdated hash and cipher suites that may not be strong. 为了提高安全性,请购买由知名证书颁发机构签名的证书。For better security, purchase a certificate signed by a well-known certificate authority.

本文介绍如何执行以下操作:In this article, you will learn how to:

  • 创建自己的自定义证书颁发机构Create your own custom Certificate Authority
  • 创建由自定义 CA 签名的自签名证书Create a self-signed certificate signed by your custom CA
  • 将自签名的根证书上传到应用程序网关,以便对后端服务器进行身份验证Upload a self-signed root certificate to an Application Gateway to authenticate the backend server


  • 在运行 Windows 或 Linux 的计算机上安装 OpenSSLOpenSSL on a computer running Windows or Linux

    本教程将使用 OpenSSL,不过,其他工具可能也可用于证书管理。While there could be other tools available for certificate management, this tutorial uses OpenSSL. 你可能会发现,许多 Linux 分发版(如 Ubuntu)中已捆绑 OpenSSL。You can find OpenSSL bundled with many Linux distributions, such as Ubuntu.

  • 一个 Web 服务器A web server

    例如,用于测试证书的 Apache、IIS 或 NGINX。For example, Apache, IIS, or NGINX to test the certificates.

  • 一个应用程序网关 v2 SKUAn Application Gateway v2 SKU

    如果没有现有的应用程序网关,请参阅快速入门:使用 Azure 应用程序网关定向 Web 流量 - Azure 门户If you don't have an existing application gateway, see Quickstart: Direct web traffic with Azure Application Gateway - Azure portal.

创建根 CA 证书Create a root CA certificate

使用 OpenSSL 创建根 CA 证书。Create your root CA certificate using OpenSSL.

创建根密钥Create the root key

  1. 登录到安装了 OpenSSL 的计算机并运行以下命令。Sign in to your computer where OpenSSL is installed and run the following command. 这会创建一个受密码保护的密钥。This creates a password protected key.

    openssl ecparam -out contoso.key -name prime256v1 -genkey
  2. 在提示符下键入强密码。At the prompt, type a strong password. 例如,使用大写字母、小写字母、数字和符号至少输入 9 个字符。For example, at least nine characters, using upper case, lower case, numbers, and symbols.

创建根证书并进行自签名Create a Root Certificate and self-sign it

  1. 使用以下命令生成 CSR 和证书。Use the following commands to generate the csr and the certificate.

    openssl req -new -sha256 -key contoso.key -out contoso.csr
    openssl x509 -req -sha256 -days 365 -in contoso.csr -signkey contoso.key -out contoso.crt

    上述命令将创建根证书。The previous commands create the root certificate. 稍后你将使用此证书来为服务器证书签名。You'll use this to sign your server certificate.

  2. 出现提示时,请键入根密钥的密码,以及自定义 CA 的组织信息,例如国家/地区、省/市/自治区、组织、组织单位和完全限定的域名(颁发者的域)。When prompted, type the password for the root key, and the organizational information for the custom CA such as Country/Region, State, Org, OU, and the fully qualified domain name (this is the domain of the issuer).


创建服务器证书Create a server certificate

接下来,使用 OpenSSL 创建服务器证书。Next, you'll create a server certificate using OpenSSL.

创建证书的密钥Create the certificate's key

使用以下命令生成服务器证书的密钥。Use the following command to generate the key for the server certificate.

openssl ecparam -out fabrikam.key -name prime256v1 -genkey

创建 CSR(证书签名请求)Create the CSR (Certificate Signing Request)

CSR 是请求证书时向 CA 提供的公钥。The CSR is a public key that is given to a CA when requesting a certificate. CA 将针对此特定请求颁发证书。The CA issues the certificate for this specific request.


服务器证书的 CN(公用名)必须与颁发者的域不同。The CN (Common Name) for the server certificate must be different from the issuer's domain. 例如,在本例中,颁发者的 CN 是 www.contoso.com,服务器证书的 CN 是 www.fabrikam.comFor example, in this case, the CN for the issuer is www.contoso.com and the server certificate's CN is www.fabrikam.com.

  1. 使用以下命令生成 CSR:Use the following command to generate the CSR:

    openssl req -new -sha256 -key fabrikam.key -out fabrikam.csr
  2. 出现提示时,请键入根密钥的密码,以及自定义 CA 的组织信息:国家/地区、省/市/自治区、组织、组织单位和完全限定的域名。When prompted, type the password for the root key, and the organizational information for the custom CA: Country/Region, State, Org, OU, and the fully qualified domain name. 这是网站的域,它应该不同于颁发者。This is the domain of the website and it should be different from the issuer.


使用 CSR 和密钥生成证书,并使用 CA 的根密钥为该证书签名Generate the certificate with the CSR and the key and sign it with the CA's root key

  1. 使用以下命令以创建证书:Use the following command to create the certificate:

    openssl x509 -req -in fabrikam.csr -CA  contoso.crt -CAkey contoso.key -CAcreateserial -out fabrikam.crt -days 365 -sha256

验证新建的证书Verify the newly created certificate

  1. 使用以下命令列显 CRT 文件的输出,并验证其内容:Use the following command to print the output of the CRT file and verify its content:

    openssl x509 -in fabrikam.crt -text -noout


  2. 验证目录中的文件,确保其中具有以下文件:Verify the files in your directory, and ensure you have the following files:

    • contoso.crtcontoso.crt
    • contoso.keycontoso.key
    • fabrikam.crtfabrikam.crt
    • fabrikam.keyfabrikam.key

在 Web 服务器的 TLS 设置中配置证书Configure the certificate in your web server's TLS settings

在 Web 服务器中,使用 fabrikam.crt 和 fabrikam.key 文件配置 TLS。In your web server, configure TLS using the fabrikam.crt and fabrikam.key files. 如果 Web 服务器无法接收这两个文件,你可以使用 OpenSSL 命令将其合并成单个 .pem 或 .pfx 文件。If your web server can't take two files, you can combine them to a single .pem or .pfx file using OpenSSL commands.


有关如何导入证书并将其上传为 IIS 上的服务器证书的说明,请参阅如何:在 Windows Server 2003 中的 Web 服务器上安装导入的证书For instructions on how to import certificate and upload them as server certificate on IIS, see HOW TO: Install Imported Certificates on a Web Server in Windows Server 2003.

有关 TLS 绑定说明,请参阅如何在 IIS 7 上设置 SSLFor TLS binding instructions, see How to Set Up SSL on IIS 7.


以下配置是在 Apache 中 为 SSL 配置的虚拟主机 示例:The following configuration is an example virtual host configured for SSL in Apache:

<VirtualHost www.fabrikam:443>
      DocumentRoot /var/www/fabrikam
      ServerName www.fabrikam.com
      SSLEngine on
      SSLCertificateFile /home/user/fabrikam.crt
      SSLCertificateKeyFile /home/user/fabrikam.key


以下配置是 NGINX 服务器块与 TLS 配置的示例:The following configuration is an example NGINX server block with TLS configuration:


访问服务器以验证配置Access the server to verify the configuration

  1. 将根证书添加到计算机的受信任根存储中。Add the root certificate to your machine's trusted root store. 访问网站时,请确保浏览器中显示整个证书链。When you access the website, ensure the entire certificate chain is seen in the browser.



    假设 DNS 已配置为将 Web 服务器名称(在本示例中为 www.fabrikam.com)指向 Web 服务器的 IP 地址。It's assumed that DNS has been configured to point the web server name (in this example, www.fabrikam.com) to your web server's IP address. 否则,可以编辑主文件来解析名称。If not, you can edit the hosts file to resolve the name.

  2. 浏览到你的网站,然后单击浏览器地址框中的锁定图标来验证站点和证书信息。Browse to your website, and click the lock icon on your browser's address box to verify the site and certificate information.

使用 OpenSSL 验证配置Verify the configuration with OpenSSL

或者,可以使用 OpenSSL 来验证证书。Or, you can use OpenSSL to verify the certificate.

openssl s_client -connect localhost:443 -servername www.fabrikam.com -showcerts

OpenSSL 证书验证

将根证书上传到应用程序网关的 HTTP 设置Upload the root certificate to Application Gateway's HTTP Settings

若要在应用程序网关中上传证书,必须将 .crt 证书导出为 Base-64 编码的 .cer 格式。To upload the certificate in Application Gateway, you must export the .crt certificate into a .cer format Base-64 encoded. 由于 .crt 已包含 Base-64 编码格式的公钥,因此,只需将文件扩展名从 .crt 重命名为 .cer 即可。Since .crt already contains the public key in the base-64 encoded format, just rename the file extension from .crt to .cer.

Azure 门户Azure portal

若要从门户上传受信任的根证书,请选择“HTTP 设置”,然后选择“HTTPS”协议 。To upload the trusted root certificate from the portal, select the HTTP Settings and choose the HTTPS protocol.


Azure PowerShellAzure PowerShell

或者,可以使用 Azure CLI 或 Azure PowerShell 上传根证书。Or, you can use Azure CLI or Azure PowerShell to upload the root certificate. 以下代码是一个 Azure PowerShell 示例。The following code is an Azure PowerShell sample.


下面的示例将受信任的根证书添加到应用程序网关,创建新的 HTTP 设置并添加新的规则(假设后端池和侦听器已存在)。The following sample adds a trusted root certificate to the application gateway, creates a new HTTP setting and adds a new rule, assuming the backend pool and the listener exist already.

## Add the trusted root certificate to the Application Gateway

$gw=Get-AzApplicationGateway -Name appgwv2 -ResourceGroupName rgOne

Add-AzApplicationGatewayTrustedRootCertificate `
   -ApplicationGateway $gw `
   -Name CustomCARoot `
   -CertificateFile "C:\Users\surmb\Downloads\contoso.cer"

$trustedroot = Get-AzApplicationGatewayTrustedRootCertificate `
   -Name CustomCARoot `
   -ApplicationGateway $gw

## Get the listener, backend pool and probe

$listener = Get-AzApplicationGatewayHttpListener `
   -Name basichttps `
   -ApplicationGateway $gw

$bepool = Get-AzApplicationGatewayBackendAddressPool `
  -Name testbackendpool `
  -ApplicationGateway $gw

Add-AzApplicationGatewayProbeConfig `
  -ApplicationGateway $gw `
  -Name testprobe `
  -Protocol Https `
  -HostName "www.fabrikam.com" `
  -Path "/" `
  -Interval 15 `
  -Timeout 20 `
  -UnhealthyThreshold 3

$probe = Get-AzApplicationGatewayProbeConfig `
  -Name testprobe `
  -ApplicationGateway $gw

## Add the configuration to the HTTP Setting and don't forget to set the "hostname" field
## to the domain name of the server certificate as this will be set as the SNI header and
## will be used to verify the backend server's certificate. Note that TLS handshake will
## fail otherwise and might lead to backend servers being deemed as Unhealthy by the probes

Add-AzApplicationGatewayBackendHttpSettings `
  -ApplicationGateway $gw `
  -Name testbackend `
  -Port 443 `
  -Protocol Https `
  -Probe $probe `
  -TrustedRootCertificate $trustedroot `
  -CookieBasedAffinity Disabled `
  -RequestTimeout 20 `
  -HostName www.fabrikam.com

## Get the configuration and update the Application Gateway

$backendhttp = Get-AzApplicationGatewayBackendHttpSettings `
  -Name testbackend `
  -ApplicationGateway $gw

Add-AzApplicationGatewayRequestRoutingRule `
  -ApplicationGateway $gw `
  -Name testrule `
  -RuleType Basic `
  -BackendHttpSettings $backendhttp `
  -HttpListener $listener `
  -BackendAddressPool $bepool

Set-AzApplicationGateway -ApplicationGateway $gw 

验证应用程序网关后端运行状况Verify the application gateway backend health

  1. 单击应用程序网关的“后端运行状况”视图,检查探测是否正常。Click the Backend Health view of your application gateway to check if the probe is healthy.
  2. 应会看到,HTTPS 探测的状态为“正常”。You should see that the Status is Healthy for the HTTPS probe.


后续步骤Next steps

若要了解有关应用程序网关上的 SSL\TLS 的详细信息,请参阅应用程序网关的 TLS 终止和端到端 TLS 概述To learn more about SSL\TLS in Application Gateway, see Overview of TLS termination and end to end TLS with Application Gateway.