Azure Stack Hub 公钥基础结构 (PKI) 证书要求Azure Stack Hub public key infrastructure (PKI) certificate requirements

Azure Stack Hub 有一个公共基础结构网络,该网络使用分配给少量 Azure Stack Hub 服务,并可能分配给租户 VM 的外部可访问公共 IP 地址。Azure Stack Hub has a public infrastructure network using externally accessible public IP addresses assigned to a small set of Azure Stack Hub services and possibly tenant VMs. 在部署 Azure Stack Hub 期间,需要使用这些 Azure Stack Hub 公共基础结构终结点的、具有适当 DNS 名称的 PKI 证书。PKI certificates with the appropriate DNS names for these Azure Stack Hub public infrastructure endpoints are required during Azure Stack Hub deployment. 本文提供以下方面的信息:This article provides information about:

  • Azure Stack Hub 证书要求。Certificate requirements for Azure Stack Hub.
  • Azure Stack Hub 部署所需的必要证书。Mandatory certificates required for Azure Stack Hub deployment.
  • 部署增值资源提供程序时所需的可选证书。Optional certificates required when deploying value-add resource providers.

备注

默认情况下,Azure Stack Hub 还使用内部 Active Directory 集成证书颁发机构 (CA) 颁发的证书在节点之间进行身份验证。Azure Stack Hub by default also uses certificates issued from an internal Active Directory-integrated certificate authority (CA) for authentication between the nodes. 为了验证证书,所有 Azure Stack Hub 基础结构计算机都信任内部 CA 的根证书,方法是将该证书添加到其本地证书存储中。To validate the certificate, all Azure Stack Hub infrastructure machines trust the root certificate of the internal CA by means of adding that certificate to their local certificate store. 在 Azure Stack Hub 中没有证书固定或证书筛选的功能。There's no pinning or filtering of certificates in Azure Stack Hub. 根据目标的 FQDN 验证每个服务器证书的 SAN。The SAN of each server certificate is validated against the FQDN of the target. 同时还会验证整个信任链以及证书到期日期(没有锁定证书的标准 TLS 服务器身份验证)。The entire chain of trust is also validated, along with the certificate expiration date (standard TLS server authentication without certificate pinning).

证书要求Certificate requirements

以下列表描述了常规的证书颁发要求、安全要求和格式要求:The following list describes the general certificate issuance, security, and formatting requirements:

  • 证书必须由内部证书颁发机构或公共证书颁发机构颁发。Certificates must be issued from either an internal certificate authority or a public certificate authority. 如果使用公共证书颁发机构,它必须作为 Microsoft 信任根颁发机构计划的一部分包含在基础操作系统映像中。If a public certificate authority is used, it must be included in the base operating system image as part of the Microsoft Trusted Root Authority Program. 如需完整列表,请参阅 Microsoft 受信任根证书计划:参与者中找到完整列表。For the full list, see Microsoft Trusted Root Certificate Program: Participants.
  • Azure Stack Hub 基础结构必须能够通过网络访问证书中发布的证书颁发机构的证书吊销列表 (CRL) 位置。Your Azure Stack Hub infrastructure must have network access to the certificate authority's Certificate Revocation List (CRL) location published in the certificate. 此 CRL 必须是一个 http 终结点。This CRL must be an http endpoint.
  • 在 pre-1903 内部版本中轮换证书时,证书必须由签署部署时提供的证书的同一内部证书颁发机构颁发,或者由上述任何公共证书颁发机构颁发。When rotating certificates in pre-1903 builds, certificates must be either issued from the same internal certificate authority used to sign certificates provided at deployment or any public certificate authority from above.
  • 轮换内部版本 1903 及更高版本的证书时,证书可以由任何企业或公共证书颁发机构来颁发。When rotating certificates for builds 1903 and later, certificates can be issued by any enterprise or public certificate authority.
  • 不支持使用自签名证书。The use of self-signed certificates aren't supported.
  • 对于部署和轮换,可以使用单一证书覆盖证书的“使用者名称”和“使用者可选名称(SAN)”字段中的所有命名空间,也可以为下面你计划使用的 Azure Stack Hub 服务所需的每个命名空间使用单独的证书。For deployment and rotation, you can either use a single certificate covering all name spaces in the certificate's Subject Name and Subject Alternative Name (SAN) fields OR you can use individual certificates for each of the namespaces below that the Azure Stack Hub services you plan to utilize require. 这两种方法都需要将通配符用于需要它们的终结点,例如 KeyVaultKeyVaultInternalBoth approaches require using wild cards for endpoints where they're required, such as KeyVault and KeyVaultInternal.
  • 证书的 PFX 加密应当为 3DES。The certificate's PFX Encryption should be 3DES.
  • 证书签名算法不能为 SHA1。The certificate signature algorithm shouldn't be SHA1.
  • 证书格式必须是 PFX,因为安装 Azure Stack Hub 时需要公钥和私钥。The certificate format must be PFX, as both the public and private keys are required for Azure Stack Hub installation. 私钥必须设置本地计算机密钥属性。The private key must have the local machine key attribute set.
  • PFX 加密必须是 3DES(从 Windows 10 客户端或 Windows Server 2016 证书存储进行导出时,此加密是默认设置)。The PFX encryption must be 3DES (this encryption is default when exporting from a Windows 10 client or Windows Server 2016 certificate store).
  • 证书 pfx 文件的“密钥使用”字段中必须包含“数字签名”和“KeyEncipherment”值。The certificate pfx files must have a value "Digital Signature" and "KeyEncipherment" in its "Key Usage" field.
  • 证书 pfx 文件的“增强型密钥使用”字段中必须包含“服务器身份验证(1.3.6.1.5.5.7.3.1)”和“客户端身份验证(1.3.6.1.5.5.7.3.2)”值。The certificate pfx files must have the values "Server Authentication (1.3.6.1.5.5.7.3.1)" and "Client Authentication (1.3.6.1.5.5.7.3.2)" in the "Enhanced Key Usage" field.
  • 证书的“颁发给:”字段不能与其“颁发者:”字段相同。The certificate's "Issued to:" field must not be the same as its "Issued by:" field.
  • 部署时,所有证书 pfx 文件的密码都必须相同。The passwords to all certificate pfx files must be the same at the time of deployment.
  • 证书 pfx 的密码必须是复杂密码。Password to the certificate pfx has to be a complex password. 请记下此密码,因为它将用作部署参数。Make note of this password because you'll use it as a deployment parameter. 此密码必须满足以下密码复杂性要求:The password must meet the following password complexity requirements:
    • 最小长度为 8 个字符。A minimum length of eight characters.
    • 至少包含以下字符中的三种字符:大写字母、小写字母、0-9 中的数字、特殊字符、不是大写也不是小写的字母字符。At least three of the following characters: uppercase letter, lowercase letter, numbers from 0-9, special characters, alphabetical character that's not uppercase or lowercase.
  • 确保使用者名称与使用者可选名称扩展 (x509v3_config) 中的使用者可选名称匹配。Ensure that the subject names and subject alternative names in the subject alternative name extension (x509v3_config) match. “使用者可选名称”字段允许你指定要受单个 SSL 证书保护的其他主机名(网站、IP 地址、公用名称)。The subject alternative name field lets you specify additional host names (websites, IP addresses, common names) to be protected by a single SSL certificate.

备注

不支持自签名证书。Self-signed certificates aren't supported.
在断开连接模式下部署 Azure Stack Hub 时,建议使用企业证书颁发机构颁发的证书。When deploying Azure Stack Hub in disconnected mode it is recommended to use certificates issued by an enterprise certificate authority. 这很重要,因为访问 Azure Stack Hub 终结点的客户端必须能够联系证书吊销列表 (CRL)。This is important because clients accessing Azure Stack Hub endpoints must be able to contact the certificate revocation list (CRL).

备注

支持在证书的信任链中包含中间证书颁发机构。The presence of Intermediary Certificate Authorities in a certificate's chain-of-trusts is supported.

必需的证书Mandatory certificates

本部分中的表格描述部署 Azure AD 和 AD FS Azure Stack Hub 时所需的 Azure Stack Hub 公共终结点 PKI 证书。The table in this section describes the Azure Stack Hub public endpoint PKI certificates that are required for both Azure AD and AD FS Azure Stack Hub deployments. 证书要求已根据区域以及所用命名空间和每个命名空间所需的证书分组。Certificate requirements are grouped by area, as well as the namespaces used and the certificates that are required for each namespace. 此表格还描述了解决方案提供程序将每个公共终结点的不同证书所复制到的文件夹。The table also describes the folder in which your solution provider copies the different certificates per public endpoint.

需要使用每个 Azure Stack Hub 公共基础结构终结点的、具有适当 DNS 名称的证书。Certificates with the appropriate DNS names for each Azure Stack Hub public infrastructure endpoint are required. 每个终结点的 DNS 名称使用以下格式表示:<prefix>.<region>.<fqdn>。Each endpoint's DNS name is expressed in the format: <prefix>.<region>.<fqdn>.

对于部署,[region] 和 [externalfqdn] 值必须与针对 Azure Stack Hub 系统选择的区域和外部域名相匹配。For your deployment, the [region] and [externalfqdn] values must match the region and external domain names that you chose for your Azure Stack Hub system. 例如,如果区域名称为 Redmond,外部域名为 contoso.com,则 DNS 名称的格式为 <prefix>.redmond.contoso.comAs an example, if the region name was Redmond and the external domain name was contoso.com, the DNS names would have the format <prefix>.redmond.contoso.com. <prefix> 值由 Microsoft 预先指定,描述证书保护的终结点。The <prefix> values are predesignated by Microsoft to describe the endpoint secured by the certificate. 此外,外部基础结构终结点的 <prefix> 值取决于使用特定终结点的 Azure Stack Hub 服务。In addition, the <prefix> values of the external infrastructure endpoints depend on the Azure Stack Hub service that uses the specific endpoint.

对于生产环境,我们建议为每个终结点生成单独的证书并将其复制到相应的目录中。For the production environments, we recommend individual certificates are generated for each endpoint and copied into the corresponding directory. 对于开发环境,可以单通配符证书的形式提供证书,其中涵盖复制到所有目录的“使用者”和“使用者可选名称(SAN)”字段中的所有命名空间。For development environments, certificates can be provided as a single wildcard certificate covering all namespaces in the Subject and Subject Alternative Name (SAN) fields copied into all directories. 使用涵盖所有终结点和服务的单个证书是一种不安全的方式,因此仅用于开发。A single certificate covering all endpoints and services is an insecure posture and hence development-only. 请记住,这两个选项都要求对 acs 和 Key Vault 等需要通配符证书的终结点使用此类证书。Remember, both options require you to use wildcard certificates for endpoints like acs and Key Vault where they're required.

备注

在部署期间,必须将证书复制到与要部署的标识提供者(Azure AD 或 AD FS)匹配的部署文件夹中。During deployment, you must copy certificates to the deployment folder that matches the identity provider you're deploying against (Azure AD or AD FS). 如果将单个证书用于所有终结点,必须将该证书文件复制到下表所述的每个部署文件夹。If you use a single certificate for all endpoints, you must copy that certificate file into each deployment folder as outlined in the following tables. 部署虚拟机中已预先构建了文件夹结构,路径为:C:\CloudDeployment\Setup\Certificates。 The folder structure is pre-built in the deployment virtual machine and can be found at: C:\CloudDeployment\Setup\Certificates.

部署文件夹Deployment folder 所需的证书使用者和使用者可选名称 (SAN)Required certificate subject and subject alternative names (SAN) 范围(按区域)Scope (per region) 子域命名空间Subdomain namespace
公共门户Public Portal portal.<region>.<fqdn>portal.<region>.<fqdn> 门户Portals <region>.<fqdn><region>.<fqdn>
管理门户Admin Portal adminportal.<region>.<fqdn>adminportal.<region>.<fqdn> 门户Portals <region>.<fqdn><region>.<fqdn>
Azure 资源管理器公共门户Azure Resource Manager Public management.<region>.<fqdn>management.<region>.<fqdn> Azure Resource ManagerAzure Resource Manager <region>.<fqdn><region>.<fqdn>
Azure 资源管理器管理门户Azure Resource Manager Admin adminmanagement.<region>.<fqdn>adminmanagement.<region>.<fqdn> Azure Resource ManagerAzure Resource Manager <region>.<fqdn><region>.<fqdn>
ACSBlobACSBlob *.blob.<region>.<fqdn>*.blob.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
Blob 存储Blob Storage blob.<region>.<fqdn>blob.<region>.<fqdn>
ACSTableACSTable *.table.<region>.<fqdn>*.table.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
表存储Table Storage table.<region>.<fqdn>table.<region>.<fqdn>
ACSQueueACSQueue *.queue.<region>.<fqdn>*.queue.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
队列存储Queue Storage queue.<region>.<fqdn>queue.<region>.<fqdn>
KeyVaultKeyVault *.vault.<region>.<fqdn>*.vault.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
密钥保管库Key Vault vault.<region>.<fqdn>vault.<region>.<fqdn>
KeyVaultInternalKeyVaultInternal *.adminvault.<region>.<fqdn>*.adminvault.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
内部 Key VaultInternal Keyvault adminvault.<region>.<fqdn>adminvault.<region>.<fqdn>
管理扩展主机Admin Extension Host *.adminhosting.<region>.<fqdn>*.adminhosting.<region>.<fqdn> (通配符 SSL 证书)(Wildcard SSL Certificates) 管理扩展主机Admin Extension Host adminhosting.<region>.<fqdn>adminhosting.<region>.<fqdn>
公共扩展主机Public Extension Host *.hosting.<region>.<fqdn>*.hosting.<region>.<fqdn> (通配符 SSL 证书)(Wildcard SSL Certificates) 公共扩展主机Public Extension Host hosting.<region>.<fqdn>hosting.<region>.<fqdn>

如果使用 Azure AD 部署模式来部署 Azure Stack Hub,只需请求上表中所列的证书。If you deploy Azure Stack Hub using the Azure AD deployment mode, you only need to request the certificates listed in previous table. 但是,如果使用 AD FS 部署模式来部署 Azure Stack Hub,则还必须请求下表中所述的证书:But, if you deploy Azure Stack Hub using the AD FS deployment mode, you must also request the certificates described in the following table:

部署文件夹Deployment folder 所需的证书使用者和使用者可选名称 (SAN)Required certificate subject and subject alternative names (SAN) 范围(按区域)Scope (per region) 子域命名空间Subdomain namespace
ADFSADFS adfs. <region>.<fqdn>adfs.<region>.<fqdn>
(SSL 证书)(SSL Certificate)
ADFSADFS <region>.<fqdn><region>.<fqdn>
GraphGraph graph. <region>.<fqdn>graph.<region>.<fqdn>
(SSL 证书)(SSL Certificate)
GraphGraph <region>.<fqdn><region>.<fqdn>

重要

本部分所列的所有证书必须使用相同的密码。All the certificates listed in this section must have the same password.

可选的 PaaS 证书Optional PaaS certificates

如果计划在部署和配置 Azure Stack Hub 之后部署其他 Azure Stack Hub PaaS 服务(例如 SQL、MySQL、应用服务或事件中心),则必须请求额外的证书来涵盖 PaaS 服务的终结点。If you're planning to deploy the additional Azure Stack Hub PaaS services (such as SQL, MySQL, App Service, or Event Hubs) after Azure Stack Hub has been deployed and configured, you must request additional certificates to cover the endpoints of the PaaS services.

重要

用于资源提供程序的证书必须与用于全局 Azure Stack Hub 终结点的证书具有相同的根证书颁发机构。The certificates that you use for resource providers must have the same root authority as those used for the global Azure Stack Hub endpoints.

下表描述了资源提供程序所需的终结点和证书。The following table describes the endpoints and certificates required for resource providers. 无需将这些证书复制到 Azure Stack Hub 部署文件夹。You don't need to copy these certificates to the Azure Stack Hub deployment folder. 只需在资源提供程序安装过程中提供这些证书即可。Instead, you provide these certificates during resource provider installation.

范围(按区域)Scope (per region) 证书Certificate 所需的证书使用者和使用者可选名称 (SAN)Required certificate subject and Subject Alternative Names (SANs) 子域命名空间Subdomain namespace
应用服务App Service Web 流量默认 SSL 证书Web Traffic Default SSL Cert *.appservice. <region>.<fqdn>*.appservice.<region>.<fqdn>
*.scm.appservice. <region>.<fqdn>*.scm.appservice.<region>.<fqdn>
*.sso.appservice. <region>.<fqdn>*.sso.appservice.<region>.<fqdn>
(多域通配符 SSL 证书1(Multi Domain Wildcard SSL Certificate1)
appservice. <region>.<fqdn>appservice.<region>.<fqdn>
scm.appservice. <region>.<fqdn>scm.appservice.<region>.<fqdn>
应用服务App Service APIAPI api.appservice. <region>.<fqdn>api.appservice.<region>.<fqdn>
(SSL 证书2(SSL Certificate2)
appservice. <region>.<fqdn>appservice.<region>.<fqdn>
scm.appservice. <region>.<fqdn>scm.appservice.<region>.<fqdn>
应用服务App Service FTPFTP ftp.appservice. <region>.<fqdn>ftp.appservice.<region>.<fqdn>
(SSL 证书2(SSL Certificate2)
appservice. <region>.<fqdn>appservice.<region>.<fqdn>
scm.appservice. <region>.<fqdn>scm.appservice.<region>.<fqdn>
应用服务App Service SSOSSO sso.appservice. <region>.<fqdn>sso.appservice.<region>.<fqdn>
(SSL 证书2(SSL Certificate2)
appservice. <region>.<fqdn>appservice.<region>.<fqdn>
scm.appservice. <region>.<fqdn>scm.appservice.<region>.<fqdn>
事件中心Event Hubs SSLSSL *.eventhub. <region>.<fqdn>*.eventhub.<region>.<fqdn> eventhub.<region>.<fqdn>eventhub.<region>.<fqdn>
IoT 中心IoT Hub SSLSSL *.mgmtiothub. <region>.<fqdn>*.mgmtiothub.<region>.<fqdn> mgmtiothub. <region>.<fqdn>mgmtiothub.<region>.<fqdn>
SQL、MySQLSQL, MySQL SQL 和 MySQLSQL and MySQL *.dbadapter. <region>.<fqdn>*.dbadapter.<region>.<fqdn>
(通配符 SSL 证书)(Wildcard SSL Certificate)
dbadapter. <region>.<fqdn>dbadapter.<region>.<fqdn>

1 需要一个包含多个通配符使用者可选名称的证书。1 Requires one certificate with multiple wildcard subject alternative names. 并非所有公共证书颁发机构都支持在单个证书中包含多个通配符 SAN。Multiple wildcard SANs on a single certificate might not be supported by all public certificate authorities.

2 不能使用 *.appservice.<region>.<fqdn> 通配符证书来取代这三个证书(api.appservice.<region>.<fqdn>、ftp.appservice.<region>.<fqdn> 和 sso.appservice.<region>.<fqdn>)。2 A *.appservice.<region>.<fqdn> wildcard certificate can't be used in place of these three certificates (api.appservice.<region>.<fqdn>, ftp.appservice.<region>.<fqdn>, and sso.appservice.<region>.<fqdn>. 应用服务明确要求对这些终结点使用不同的证书。Appservice explicitly requires the use of separate certificates for these endpoints.

了解详细信息Learn more

了解如何为 Azure Stack Hub 部署生成 PKI 证书Learn how to generate PKI certificates for Azure Stack Hub deployment.

后续步骤Next steps

将 AD FS 标识与 Azure Stack Hub 数据中心集成Integrate AD FS identity with your Azure Stack Hub datacenter.