Azure Stack 公钥基础结构证书要求Azure Stack public key infrastructure certificate requirements

Azure Stack 有一个公共基础结构网络,该网络使用分配给少量 Azure Stack 服务,并可能分配给租户 VM 的外部可访问公共 IP 地址。Azure Stack has a public infrastructure network using externally accessible public IP addresses assigned to a small set of Azure Stack services and possibly tenant VMs. 在部署 Azure Stack 期间,需要使用这些 Azure Stack 公共基础结构终结点的、具有适当 DNS 名称的 PKI 证书。PKI certificates with the appropriate DNS names for these Azure Stack public infrastructure endpoints are required during Azure Stack deployment. 本文提供以下方面的信息:This article provides information about:

  • 部署 Azure Stack 时需要哪些证书What certificates are required to deploy Azure Stack
  • 获取与这些规范匹配的证书的过程是什么The process of obtaining certificates matching those specifications
  • 如何在部署期间准备、验证和使用这些证书How to prepare, validate, and use those certificates during deployment

Note

在部署期间,必须将证书复制到与要部署的标识提供者(Azure AD 或 AD FS)匹配的部署文件夹中。During deployment you must copy certificates to the deployment folder that matches the identity provider you are deploying against (Azure AD or AD FS). 如果将单个证书用于所有终结点,必须将该证书文件复制到下表所述的每个部署文件夹。If you use a single certificate for all endpoints, you must copy that certificate file into each deployment folder as outlined in the tables below. 部署虚拟机中已预先构建了文件夹结构,路径为:C:\CloudDeployment\Setup\Certificates。 The folder structure is pre-built in the deployment virtual machine and can be found at: C:\CloudDeployment\Setup\Certificates.

证书要求Certificate requirements

以下列表描述了部署 Azure Stack 时需要满足的证书要求:The following list describes the certificate requirements that are needed to deploy Azure Stack:

  • 证书必须由内部证书颁发机构或公共证书颁发机构颁发。Certificates must be issued from either an internal Certificate Authority or a Public Certificate Authority. 如果使用公共证书颁发机构,它必须作为 Microsoft 信任根颁发机构计划的一部分包含在基础操作系统映像中。If a public certificate authority is used, it must be included in the base operating system image as part of the Microsoft Trusted Root Authority Program. 在以下网页中查看完整列表: https://gallery.technet.microsoft.com/Trusted-Root-Certificate-123665caYou can find the full list here: https://gallery.technet.microsoft.com/Trusted-Root-Certificate-123665ca
  • Azure Stack 基础结构必须能够通过网络访问证书中发布的证书颁发机构的证书吊销列表 (CRL) 位置。Your Azure Stack infrastructure must have network access to the certificate authority's Certificate Revocation List (CRL) location published in the certificate. 此 CRL 必须是 http 终结点This CRL must be an http endpoint
  • 在 pre-1903 内部版本中轮换证书时,证书必须由签署部署时提供的证书的同一内部证书颁发机构颁发,或者由上述任何公共证书颁发机构颁发。When rotating certificates in pre-1903 builds, certificates must be either issued from the same internal certificate authority used to sign certificates provided at deployment or any public certificate authority from above. 就 1903 及更高版本来说,证书可以由任何企业或公共证书颁发机构来颁发。For 1903 & later certificates can be issued by any enterprise or public certificate authority.
  • 不支持使用自签名证书The use of self-signed certificates are not supported
  • 对于部署和轮换,可以使用单一证书覆盖证书的“使用者名称”和“使用者可选名称(SAN)”字段中的所有命名空间,也可以为下面你计划使用的 Azure Stack 服务所需的每个命名空间使用单独的证书。For deployment and rotation you can either use a single certificate covering all name spaces in the certificate's Subject Name and Subject Alternative Name (SAN) fields OR you can use individual certificates for each of the namespaces below that the Azure Stack services you plan to utilize require. 这两种方法都需要将通配符用于需要它们的终结点,例如 KeyVaultKeyVaultInternalBoth approaches require using wild cards for endpoints where they are required, such as KeyVault and KeyVaultInternal.
  • 证书的 PFX 加密应当为 3DES。The certificate's PFX Encryption should be 3DES.
  • 证书签名算法不能为 SHA1。The certificate signature algorithm should not be SHA1.
  • 证书格式必须是 PFX,因为安装 Azure Stack 时需要公钥和私钥。The certificate format must be PFX, as both the public and private keys are required for Azure Stack installation. 私钥必须设置本地计算机密钥属性。The private key must have the local machine key attribute set.
  • PFX 加密必须是 3DES(从 Windows 10 客户端或 Windows Server 2016 证书存储进行导出时,这是默认值)。The PFX encryption must be 3DES (this is default when exporting from a Windows 10 client or Windows Server 2016 certificate store).
  • 证书 pfx 文件的“密钥使用”字段中必须包含“数字签名”和“KeyEncipherment”值。The certificate pfx files must have a value "Digital Signature" and "KeyEncipherment" in its "Key Usage" field.
  • 证书 pfx 文件的“增强型密钥使用”字段中必须包含“服务器身份验证(1.3.6.1.5.5.7.3.1)”和“客户端身份验证(1.3.6.1.5.5.7.3.2)”值。The certificate pfx files must have the values "Server Authentication (1.3.6.1.5.5.7.3.1)" and "Client Authentication (1.3.6.1.5.5.7.3.2)" in the "Enhanced Key Usage" field.
  • 证书的“颁发给:”字段不能与其“颁发者:”字段相同。The certificate's "Issued to:" field must not be the same as its "Issued by:" field.
  • 部署时,所有证书 pfx 文件的密码都必须相同The passwords to all certificate pfx files must be the same at the time of deployment
  • 证书 pfx 的密码必须是复杂密码。Password to the certificate pfx has to be a complex password. 创建满足以下密码复杂性要求的密码。Create a password that meets the following password complexity requirements. 最小长度为 8 个字符。A minimum length of eight characters. 密码必须至少包含以下项中的三项:大写字母、小写字母、0-9 中的数字、特殊字符、不是大写也不是小写的字母字符。The password contains at least three of the following: uppercase letter, lowercase letter, numbers from 0-9, special characters, alphabetical character that is neither uppercase nor lowercase. 记下此密码。Make note of this password. 需将它用作部署参数。You will use it as a deployment parameter.
  • 确保使用者名称与使用者可选名称扩展 (x509v3_config) 中的使用者可选名称匹配。Ensure that the subject names and subject alternative names in the subject alternative name extension (x509v3_config) match. “使用者可选名称”字段允许你指定要受单个 SSL 证书保护的其他主机名(网站、IP 地址、公用名称)。The subject alternative name field lets you specify additional host names (websites, IP addresses, common names) to be protected by a single SSL Certificate.

Note

不支持自签名证书。Self Signed certificates are not supported.

Note

支持在证书的信任链 IS 中包含中间证书颁发机构。The presence of Intermediary Certificate Authorities in a certificate's chain-of-trusts IS supported.

必需的证书Mandatory certificates

本部分中的表格描述部署 Azure AD 和 AD FS Azure Stack 时所需的 Azure Stack 公共终结点 PKI 证书。The table in this section describes the Azure Stack public endpoint PKI certificates that are required for both Azure AD and AD FS Azure Stack deployments. 证书要求已根据区域以及所用命名空间和每个命名空间所需的证书分组。Certificate requirements are grouped by area, as well as the namespaces used and the certificates that are required for each namespace. 此表格还描述了解决方案提供程序将每个公共终结点的不同证书所复制到的文件夹。The table also describes the folder in which your solution provider copies the different certificates per public endpoint.

需要使用每个 Azure Stack 公共基础结构终结点的、具有适当 DNS 名称的证书。Certificates with the appropriate DNS names for each Azure Stack public infrastructure endpoint are required. 每个终结点的 DNS 名称使用以下格式表示:<prefix>.<region>.<fqdn> 。Each endpoint's DNS name is expressed in the format: <prefix>.<region>.<fqdn>.

对于部署,[region] 和 [externalfqdn] 值必须与针对 Azure Stack 系统选择的区域和外部域名相匹配。For your deployment, the [region] and [externalfqdn] values must match the region and external domain names that you chose for your Azure Stack system. 例如,如果区域名称为 Redmond,外部域名为 contoso.com,则 DNS 名称的格式为 <prefix>.redmond.contoso.comAs an example, if the region name was Redmond and the external domain name was contoso.com, the DNS names would have the format <prefix>.redmond.contoso.com. <prefix> 值由 Microsoft 预先指定,描述证书保护的终结点。The <prefix> values are predesignated by Microsoft to describe the endpoint secured by the certificate. 此外,外部基础结构终结点的 <prefix> 值取决于使用特定终结点的 Azure Stack 服务。In addition, the <prefix> values of the external infrastructure endpoints depend on the Azure Stack service that uses the specific endpoint.

Note

对于生产环境,我们建议为每个终结点生成单独的证书并将其复制到相应的目录中。For the production environments, we recommend individual certificates are generated for each endpoint and copied into the corresponding directory. 对于开发环境,可以提供单个通配符证书作为证书,在其中涵盖“使用者”和“使用者可选名称”(SAN) 字段中的所有命名空间,并将该证书复制到所有目录中。For development environments, certificates can be provided as a single wild card certificate covering all namespaces in the Subject and Subject Alternative Name (SAN) fields copied into all directories. 使用涵盖所有终结点和服务的单个证书是一种不安全的方式,因此仅用于开发。A single certificate covering all endpoints and services is an insecure posture hence development-only. 请记住,这两个选项都要求对 acs 和 Key Vault 等需要通配符证书的终结点使用此类证书。Remember, both options require you to use wildcard certificates for endpoints such as acs and Key Vault where they are required.

部署文件夹Deployment folder 所需的证书使用者和使用者可选名称 (SAN)Required certificate subject and subject alternative names (SAN) 范围(按区域)Scope (per region) 子域命名空间SubDomain namespace
公共门户Public Portal portal.<region>.<fqdn>portal.<region>.<fqdn> 门户Portals <region>.<fqdn><region>.<fqdn>
管理门户Admin Portal adminportal.<region>.<fqdn>adminportal.<region>.<fqdn> 门户Portals <region>.<fqdn><region>.<fqdn>
Azure 资源管理器公共门户Azure Resource Manager Public management.<region>.<fqdn>management.<region>.<fqdn> Azure Resource ManagerAzure Resource Manager <region>.<fqdn><region>.<fqdn>
Azure 资源管理器管理门户Azure Resource Manager Admin adminmanagement.<region>.<fqdn>adminmanagement.<region>.<fqdn> Azure Resource ManagerAzure Resource Manager <region>.<fqdn><region>.<fqdn>
ACSBlobACSBlob *.blob.<region>.<fqdn>*.blob.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
Blob 存储Blob Storage blob.<region>.<fqdn>blob.<region>.<fqdn>
ACSTableACSTable *.table.<region>.<fqdn>*.table.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
表存储Table Storage table.<region>.<fqdn>table.<region>.<fqdn>
ACSQueueACSQueue *.queue.<region>.<fqdn>*.queue.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
队列存储Queue Storage queue.<region>.<fqdn>queue.<region>.<fqdn>
KeyVaultKeyVault *.vault.<region>.<fqdn>*.vault.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
密钥保管库Key Vault vault.<region>.<fqdn>vault.<region>.<fqdn>
KeyVaultInternalKeyVaultInternal *.adminvault.<region>.<fqdn>*.adminvault.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
内部 Key VaultInternal Keyvault adminvault.<region>.<fqdn>adminvault.<region>.<fqdn>
管理扩展主机Admin Extension Host *.adminhosting.<region>.<fqdn>(通配符 SSL 证书)*.adminhosting.<region>.<fqdn> (Wildcard SSL Certificates) 管理扩展主机Admin Extension Host adminhosting.<region>.<fqdn>adminhosting.<region>.<fqdn>
公共扩展主机Public Extension Host *.hosting.<region>.<fqdn>(通配符 SSL 证书)*.hosting.<region>.<fqdn> (Wildcard SSL Certificates) 公共扩展主机Public Extension Host hosting.<region>.<fqdn>hosting.<region>.<fqdn>

如果使用 Azure AD 部署模式来部署 Azure Stack,只需请求上表中所列的证书。If you deploy Azure Stack using the Azure AD deployment mode, you only need to request the certificates listed in previous table. 但是,如果使用 AD FS 部署模式来部署 Azure Stack,则还必须请求下表中所述的证书:However, if you deploy Azure Stack using the AD FS deployment mode, you must also request the certificates described in the following table:

部署文件夹Deployment folder 所需的证书使用者和使用者可选名称 (SAN)Required certificate subject and subject alternative names (SAN) 范围(按区域)Scope (per region) 子域命名空间SubDomain namespace
ADFSADFS adfs. <region>.<fqdn>adfs.<region>.<fqdn>
(SSL 证书)(SSL Certificate)
ADFSADFS <region>.<fqdn><region>.<fqdn>
GraphGraph graph. <region>.<fqdn>graph.<region>.<fqdn>
(SSL 证书)(SSL Certificate)
GraphGraph <region>.<fqdn><region>.<fqdn>

Important

本部分所列的所有证书必须使用相同的密码。All the certificates listed in this section must have the same password.

可选的 PaaS 证书Optional PaaS certificates

如果打算在部署和配置 Azure Stack 之后部署其他 Azure Stack PaaS 服务(SQL、MySQL 和 应用服务),则需要请求额外的证书来涵盖 PaaS 服务的终结点。If you are planning to deploy the additional Azure Stack PaaS services (SQL, MySQL, and App Service) after Azure Stack has been deployed and configured, you will need to request additional certificates to cover the endpoints of the PaaS services.

Important

用于应用服务、SQL 和 MySQL 资源提供程序的证书需要包含与用于全局 Azure Stack 终结点的证书相同的根颁发机构。The certificates that you use for App Service, SQL, and MySQL resource providers need to have the same root authority as those used for the global Azure Stack endpoints.

下表描述了 SQL 和 MySQL 适配器以及应用服务所需的终结点与证书。The following table describes the endpoints and certificates required for the SQL and MySQL adapters and for App Service. 无需将这些证书复制到 Azure Stack 部署文件夹。You don't need to copy these certificates to the Azure Stack deployment folder. 应在安装其他资源提供程序时提供这些证书。Instead, you provide these certificates when you install the additional resource providers.

范围(按区域)Scope (per region) 证书Certificate 所需的证书使用者和使用者可选名称 (SAN)Required certificate subject and Subject Alternative Names (SANs) 子域命名空间SubDomain namespace
SQL、MySQLSQL, MySQL SQL 和 MySQLSQL and MySQL *.dbadapter. <region>.<fqdn>*.dbadapter.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
dbadapter. <region>.<fqdn>dbadapter.<region>.<fqdn>
应用服务App Service Web 流量默认 SSL 证书Web Traffic Default SSL Cert *.appservice. <region>.<fqdn>*.appservice.<region>.<fqdn>
*.scm.appservice. <region>.<fqdn>*.scm.appservice.<region>.<fqdn>
*.sso.appservice. <region>.<fqdn>*.sso.appservice.<region>.<fqdn>
(多域通配符 SSL 证书1(Multi Domain Wildcard SSL Certificate1)
appservice. <region>.<fqdn>appservice.<region>.<fqdn>
scm.appservice. <region>.<fqdn>scm.appservice.<region>.<fqdn>
应用服务App Service APIAPI api.appservice. <region>.<fqdn>api.appservice.<region>.<fqdn>
(SSL 证书2(SSL Certificate2)
appservice. <region>.<fqdn>appservice.<region>.<fqdn>
scm.appservice. <region>.<fqdn>scm.appservice.<region>.<fqdn>
应用服务App Service FTPFTP ftp.appservice. <region>.<fqdn>ftp.appservice.<region>.<fqdn>
(SSL 证书2(SSL Certificate2)
appservice. <region>.<fqdn>appservice.<region>.<fqdn>
scm.appservice. <region>.<fqdn>scm.appservice.<region>.<fqdn>
应用服务App Service SSOSSO sso.appservice. <region>.<fqdn>sso.appservice.<region>.<fqdn>
(SSL 证书2(SSL Certificate2)
appservice. <region>.<fqdn>appservice.<region>.<fqdn>
scm.appservice. <region>.<fqdn>scm.appservice.<region>.<fqdn>

1 需要一个包含多个通配符使用者可选名称的证书。1 Requires one certificate with multiple wildcard subject alternative names. 并非所有公共证书颁发机构都支持在单个证书中包含多个通配符 SANMultiple wildcard SANs on a single certificate might not be supported by all Public Certificate Authorities

2 不能使用 *.appservice. <region>.<fqdn> 通配符证书来取代这三个证书(api.appservice. <region>.<fqdn> 、ftp.appservice. <region>.<fqdn> 和 sso.appservice. <region>.<fqdn> )。2 A *.appservice.<region>.<fqdn> wild card certificate cannot be used in place of these three certificates (api.appservice.<region>.<fqdn>, ftp.appservice.<region>.<fqdn>, and sso.appservice.<region>.<fqdn>. 应用服务明确要求对这些终结点使用不同的证书。Appservice explicitly requires the use of separate certificates for these endpoints.

了解详细信息Learn more

了解如何为 Azure Stack 部署生成 PKI 证书Learn how to generate PKI certificates for Azure Stack deployment.

后续步骤Next steps

标识集成Identity integration