为 Azure Stack Hub 生成证书签名请求Generate certificate signing requests for Azure Stack Hub

可以使用 Azure Stack Hub 就绪性检查器工具创建适合于 Azure Stack Hub 部署的证书签名请求 (CSR)。You can use the Azure Stack Hub Readiness Checker tool to create Certificate Signing Requests (CSRs) suitable for an Azure Stack Hub deployment. 应该花费足够的时间来请求、生成并验证证书,以便在部署之前进行测试。Certificates should be requested, generated, and validated with enough time to test before deployment. 可以从 PowerShell 库获取工具。You can get the tool from the PowerShell Gallery.

可以使用 Azure Stack Hub 就绪性检查器工具 (AzsReadinessChecker) 请求以下证书:You can use the Azure Stack Hub Readiness Checker tool (AzsReadinessChecker) to request the following certificates:

必备条件Prerequisites

在为 Azure Stack Hub 部署生成 PKI 证书的任何 CSR 之前,系统应符合以下先决条件:Your system should meet the following prerequisites before generating any CSRs for PKI certificates for an Azure Stack Hub deployment:

  • Azure Stack Hub 就绪性检查器Azure Stack Hub Readiness Checker

  • 证书属性:Certificate attributes:

    • 区域名称Region name
    • 外部完全限定的域名 (FQDN)External fully qualified domain name (FQDN)
    • 主题Subject
  • Windows 10 或 Windows Server 2016 或更高版本Windows 10 or Windows Server 2016 or later

    备注

    从证书颁发机构收回证书时,需要在同一个系统上完成准备 Azure Stack Hub PKI 证书中的步骤!When you receive your certificates back from your certificate authority, the steps in Prepare Azure Stack Hub PKI certificates will need to be completed on the same system!

为新部署生成证书签名请求Generate certificate signing requests for new deployments

使用以下步骤来为新 Azure Stack Hub PKI 证书准备证书签名请求:Use these steps to prepare certificate signing requests for new Azure Stack Hub PKI certificates:

  1. 在 PowerShell 提示符(5.1 或更高版本)下,运行以下 cmdlet 安装 AzsReadinessChecker:Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:

        Install-Module Microsoft.AzureStack.ReadinessChecker
    
  2. 声明使用者Declare the subject. 例如:For example:

    $subject = "C=US,ST=Washington,L=Redmond,O=Microsoft,OU=Azure Stack Hub"
    

    备注

    如果提供公用名 (CN),则会在每个证书请求上配置它。If a common name (CN) is supplied, it will be configured on every certificate request. 如果省略了 CN,则会在证书请求上配置 Azure Stack Hub 服务的第一个 DNS 名称。If a CN is omitted, the first DNS name of the Azure Stack Hub service will be configured on the certificate request.

  3. 声明已存在的输出目录。Declare an output directory that already exists. 例如:For example:

    $outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"
    
  4. 声明标识系统。Declare identity system.

    Azure Active Directory (Azure AD):Azure Active Directory (Azure AD):

    $IdentitySystem = "AAD"
    

    Active Directory 联合身份验证服务 (AD FS):Active Directory Federation Services (AD FS):

    $IdentitySystem = "ADFS"
    

    备注

    只有 CertificateType 部署需要此参数。The parameter is required only for CertificateType Deployment.

  5. 声明用于 Azure Stack Hub 部署的区域名称外部 FQDNDeclare region name and an external FQDN intended for the Azure Stack Hub deployment.

    $regionName = 'east'
    $externalFQDN = 'azurestack.contoso.com'
    

    备注

    <regionName>.<externalFQDN> 构成了 Azure Stack Hub 中所有外部 DNS 名称创建位置的基础。<regionName>.<externalFQDN> forms the basis on which all external DNS names in Azure Stack Hub are created. 在此示例中,门户将是 portal.east.azurestack.contoso.comIn this example, the portal would be portal.east.azurestack.contoso.com.

  6. 若要为部署生成证书签名请求,请执行以下命令:To generate certificate signing requests for deployment:

    New-AzsHubDeploymentCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem
    

    若要为其他 Azure Stack Hub 服务生成证书请求,请更改 -CertificateType 的值。To generate certificate requests for other Azure Stack Hub services, change the value for -CertificateType. 例如:For example:

    # App Services
    New-AzsHubAppServicesCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
    
    # DBAdapter
    New-AzsHubDbAdapterCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
    
    # EventHubs
    New-AzsHubEventHubsCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
    
    # IoTHub
    New-AzsHubIoTHubCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -subject $subject -OutputRequestPath $OutputDirectory
    
  7. 另外,对于开发/测试环境,若要生成具有多个使用者可选名称的单个证书请求,请添加 -RequestType SingleCSR 参数和值(建议用于生产环境):Alternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):

    New-AzsHubDeploymentCertificateSigningRequest -RegionName $regionName -FQDN $externalFQDN -RequestType SingleCSR -subject $subject -OutputRequestPath $OutputDirectory -IdentitySystem $IdentitySystem
    
  8. 查看输出:Review the output:

    Starting Certificate Request Process for Deployment
    CSR generating for following SAN(s): *.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.blob.east.azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azurestack.contoso.com,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.com,adminmanagement.east.azurestack.contoso.com,adminportal.east.azurestack.contoso.com,management.east.azurestack.contoso.com,portal.east.azurestack.contoso.com
    Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\[*redacted*]\Documents\AzureStackCSR\Deployment_east_azurestack_contoso_com_SingleCSR_CertRequest_20200710165538.req
    Certreq.exe output: CertReq: Request Created
    
  9. 将生成的 .REQ 文件提交到 CA(内部或公共 CA)。Submit the .REQ file generated to your CA (either internal or public). New-AzsCertificateSigningRequest 的输出目录包含提交到证书颁发机构时所需的 CSR。The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. 此目录还包含一个子目录,其中包含生成证书请求期间使用的 INF 文件,供你参考。The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. 请确保 CA 使用符合 Azure Stack Hub PKI 要求的生成请求来生成证书。Be sure that your CA generates certificates using your generated request that meet the Azure Stack Hub PKI Requirements.

生成证书签名请求以续订证书Generate certificate signing requests for certificate renewal

使用以下步骤准备证书签名请求,以便续订现有 Azure Stack Hub PKI 证书:Use these steps to prepare certificate signing requests for renewal of existing Azure Stack Hub PKI certificates:

  1. 在 PowerShell 提示符(5.1 或更高版本)下,运行以下 cmdlet 安装 AzsReadinessChecker:Install AzsReadinessChecker from a PowerShell prompt (5.1 or above), by running the following cmdlet:

        Install-Module Microsoft.AzureStack.ReadinessChecker
    
  2. 以 Azure Stack Hub 系统的 regionname.domain.com 形式声明 stampEndpoint。Declare the stampEndpoint in the form of regionname.domain.com of the Azure Stack Hub System. 例如(如果 Azure Stack Hub 租户门户地址为 https://portal.east.azurestack.contoso.com):For example (if the Azure Stack Hub Tenant portal address is https://portal.east.azurestack.contoso.com):

    $stampEndpoint = 'east.azurestack.contoso.com'
    

    备注

    上述 Azure Stack Hub 系统需要 HTTPS 连接。HTTPS Connectivity is required for the Azure Stack Hub system above. 就绪检查器将使用 stampendpoint(区域和域)来构建一个指向证书类型所需的现有证书的指针。例如,对于部署证书,该工具会将“portal”前置,因此,对于 sso.appservices.east.azurestack.contoso.com 之类的 AppService,会将 portal.east.azurestack.contoso.com 用于证书克隆。绑定到已计算的终结点的证书将用于克隆属性,例如使用者、密钥长度和签名算法。The Readiness Checker will use the stampendpoint (region and domain) to build a pointer to an existing certificates required by the certificate type e.g. for deployment certificates 'portal' is prepended, by the tool, so portal.east.azurestack.contoso.com is used in certificate cloning, for AppServices sso.appservices.east.azurestack.contoso.com etc. The certificate bound to the computed endpoint will be used to clone attributes such as subject, key length, signature algorithm. 如果要更改其中任何属性,则应改为按照为新部署生成证书签名请求的步骤进行操作。If you wish to change any of these attributes you should follow the steps for Generate certificate signing request for new deployments instead.

  3. 声明已存在的输出目录。Declare an output directory that already exists. 例如:For example:

    $outputDirectory = "$ENV:USERPROFILE\Documents\AzureStackCSR"
    
  4. 若要为部署生成证书签名请求,请执行以下命令:To generate certificate signing requests for deployment:

    New-AzsHubDeploymentCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    

    若要为其他 Azure Stack Hub 服务生成证书请求,请使用:To generate certificate requests for other Azure Stack Hub services use:

    # App Services
    New-AzsHubAppServicesCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    
    # DBAdapter
    New-AzsHubDBAdapterCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    
    # EventHubs
    New-AzsHubEventHubsCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    
    # IoTHub
    New-AzsHubIotHubCertificateSigningRequest -StampEndpoint $stampEndpoint -OutputRequestPath $OutputDirectory
    
  5. 另外,对于开发/测试环境,若要生成具有多个使用者可选名称的单个证书请求,请添加 -RequestType SingleCSR 参数和值(建议用于生产环境):Alternatively, for Dev/Test environments, to generate a single certificate request with multiple Subject Alternative Names add -RequestType SingleCSR parameter and value (not recommended for production environments):

    New-AzsHubDeploymentCertificateSigningRequest -StampEndpoint $stampendpoint -OutputRequestPath $OutputDirectory -RequestType SingleCSR
    
  6. 查看输出:Review the output:

    Querying StampEndpoint portal.east.azurestack.contoso.com for existing certificate
    Starting Certificate Request Process for Deployment
    CSR generating for following SAN(s): *.adminhosting.east.azurestack.contoso.com,*.adminvault.east.azurestack.contoso.com,*.blob.east.azurestack.contoso.com,*.hosting.east.azurestack.contoso.com,*.queue.east.azurestack.contoso.com,*.table.east.azurestack.contoso.com,*.vault.east.azurestack.contoso.com,adminmanagement.east.azurestack.contoso.com,adminportal.east.azurestack.contoso.com,management.east.azurestack.contoso.com,portal.east.azurestack.contoso.com
    Present this CSR to your Certificate Authority for Certificate Generation: C:\Users\[*redacted*]\Documents\AzureStackCSR\Deployment_east_azurestack_contoso_com_SingleCSR_CertRequest_20200710122723.req
    Certreq.exe output: CertReq: Request Created
    
  7. 将生成的 .REQ 文件提交到 CA(内部或公共 CA)。Submit the .REQ file generated to your CA (either internal or public). New-AzsCertificateSigningRequest 的输出目录包含提交到证书颁发机构时所需的 CSR。The output directory of New-AzsCertificateSigningRequest contains the CSR(s) necessary to submit to a Certificate Authority. 此目录还包含一个子目录,其中包含生成证书请求期间使用的 INF 文件,供你参考。The directory also contains, for your reference, a child directory containing the INF file(s) used during certificate request generation. 请确保 CA 使用符合 Azure Stack Hub PKI 要求的生成请求来生成证书。Be sure that your CA generates certificates using your generated request that meet the Azure Stack Hub PKI Requirements.

后续步骤Next steps

准备 Azure Stack Hub PKI 证书Prepare Azure Stack Hub PKI certificates