准备用于部署或轮换的 Azure Stack Hub PKI 证书Prepare Azure Stack Hub PKI certificates for deployment or rotation

备注

本文仅适用于准备外部证书,这些证书用于保护外部基础结构和服务上的终结点。This article pertains to the preparation of external certificates only, which are used to secure endpoints on external infrastructure and services. 内部证书在证书轮换过程中单独进行管理。Internal certificates are managed separately, during the certificate rotation process.

必须使用符合 Azure Stack Hub 的证书要求的属性来导入和导出从证书颁发机构 (CA) 获取的证书文件。The certificate files obtained from the certificate authority (CA) must be imported and exported with properties matching Azure Stack Hub's certificate requirements.

本文介绍如何导入、打包和验证外部证书,以便为 Azure Stack Hub 部署或机密轮换做准备。In this article you learn how to import, package, and validate external certificates, to prepare for Azure Stack Hub deployment or secrets rotation.

必备条件Prerequisites

在打包用于 Azure Stack Hub 部署的 PKI 证书之前,系统应符合以下先决条件:Your system should meet the following prerequisites before packaging PKI certificates for an Azure Stack Hub deployment:

  • 从证书颁发机构返回的证书以 .cer 格式(其他可配置的格式,如 .cert、.sst 或 .pfx)存储在一个目录中。Certificates returned from Certificate Authority are stored in a single directory, in .cer format (other configurable formats such as .cert, .sst or .pfx).
  • Windows 10,或者是 Windows Server 2016 或更高版本Windows 10, or Windows Server 2016 or later
  • 使用生成证书签名请求的同一系统(除非要针对的是预打包到 PFX 中的证书)。Use the same system that generated the Certificate Signing Request (unless you're targeting a certificate prepackaged into PFXs).

继续进行到相应的准备证书(Azure Stack 就绪性检查器)准备证书(手动步骤)部分。Continue to the appropriate Prepare certificates (Azure Stack readiness checker) or Prepare certificates (manual steps) section.

准备证书(Azure Stack 就绪性检查器)Prepare certificates (Azure Stack readiness checker)

使用 Azure Stack 就绪性检查器 PowerShell cmdlet 将证书打包,步骤如下:Use these steps to package certificates using the Azure Stack readiness checker PowerShell cmdlets:

  1. 在 PowerShell 提示符(5.1 或更高版本)下,通过运行以下 cmdlet 来安装 Azure Stack 就绪性检查器模块:Install the Azure Stack readiness checker module from a PowerShell prompt (5.1 or above), by running the following cmdlet:

        Install-Module Microsoft.AzureStack.ReadinessChecker -Force -AllowPrerelease
    
  2. 指定证书文件的路径。Specify the Path to the certificate files. 例如:For example:

        $Path = "$env:USERPROFILE\Documents\AzureStack"
    
  3. 声明 pfxPassword。Declare the pfxPassword. 例如:For example:

        $pfxPassword = Read-Host -AsSecureString -Prompt "PFX Password"
    
  4. 声明要将生成的 PFX 导出到的 ExportPath。Declare the ExportPath where the resulting PFXs will be exported to. 例如:For example:

        $ExportPath = "$env:USERPROFILE\Documents\AzureStack"
    
  5. 将证书转换为 Azure Stack Hub 证书。Convert certificates to Azure Stack Hub Certificates. 例如:For example:

        ConvertTo-AzsPFX -Path $Path -pfxPassword $pfxPassword -ExportPath $ExportPath
    
  6. 查看输出:Review the output:

    ConvertTo-AzsPFX v1.2005.1286.272 started.
    
    Stage 1: Scanning Certificates
        Path: C:\Users\[*redacted*]\Documents\AzureStack Filter: CER Certificate count: 11
        adminmanagement_east_azurestack_contoso_com_CertRequest_20200710235648.cer
        adminportal_east_azurestack_contoso_com_CertRequest_20200710235645.cer
        management_east_azurestack_contoso_com_CertRequest_20200710235644.cer
        portal_east_azurestack_contoso_com_CertRequest_20200710235646.cer
        wildcard_adminhosting_east_azurestack_contoso_com_CertRequest_20200710235649.cer
        wildcard_adminvault_east_azurestack_contoso_com_CertRequest_20200710235642.cer
        wildcard_blob_east_azurestack_contoso_com_CertRequest_20200710235653.cer
        wildcard_hosting_east_azurestack_contoso_com_CertRequest_20200710235652.cer
        wildcard_queue_east_azurestack_contoso_com_CertRequest_20200710235654.cer
        wildcard_table_east_azurestack_contoso_com_CertRequest_20200710235650.cer
        wildcard_vault_east_azurestack_contoso_com_CertRequest_20200710235647.cer
    
    Detected ExternalFQDN: east.azurestack.contoso.com
    
    Stage 2: Exporting Certificates
        east.azurestack.contoso.com\Deployment\ARM Admin\ARMAdmin.pfx
        east.azurestack.contoso.com\Deployment\Admin Portal\AdminPortal.pfx
        east.azurestack.contoso.com\Deployment\ARM Public\ARMPublic.pfx
        east.azurestack.contoso.com\Deployment\Public Portal\PublicPortal.pfx
        east.azurestack.contoso.com\Deployment\Admin Extension Host\AdminExtensionHost.pfx
        east.azurestack.contoso.com\Deployment\KeyVaultInternal\KeyVaultInternal.pfx
        east.azurestack.contoso.com\Deployment\ACSBlob\ACSBlob.pfx
        east.azurestack.contoso.com\Deployment\Public Extension Host\PublicExtensionHost.pfx
        east.azurestack.contoso.com\Deployment\ACSQueue\ACSQueue.pfx
        east.azurestack.contoso.com\Deployment\ACSTable\ACSTable.pfx
        east.azurestack.contoso.com\Deployment\KeyVault\KeyVault.pfx
    
    Stage 3: Validating Certificates.
    
    Validating east.azurestack.contoso.com-Deployment-AAD certificates in C:\Users\[*redacted*]\Documents\AzureStack\east.azurestack.contoso.com\Deployment 
    
    Testing: KeyVaultInternal\KeyVaultInternal.pfx
    Thumbprint: E86699****************************4617D6
        PFX Encryption: OK
        Expiry Date: OK
        Signature Algorithm: OK
        DNS Names: OK
        Key Usage: OK
        Key Length: OK
        Parse PFX: OK
        Private Key: OK
        Cert Chain: OK
        Chain Order: OK
        Other Certificates: OK
    Testing: ARM Public\ARMPublic.pfx
        ...
    Log location (contains PII): C:\Users\[*redacted*]\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    ConvertTo-AzsPFX Completed
    

    备注

    有关其他用法,请使用 Get-help ConvertTo-AzsPFX -Full 以进一步了解用法,如针对不同的证书格式禁用验证或筛选。For additional usage use Get-help ConvertTo-AzsPFX -Full for further usage such as disabling validation or filtering for different certificate formats.

    成功验证之后,可以提供用于部署或轮换的证书,而不需要任何其他步骤。Following a successful validation certificates can be presented for Deployment or Rotation without any additional steps.

准备证书(手动步骤)Prepare certificates (manual steps)

对于新的 Azure Stack Hub PKI 证书,请使用以下手动步骤来打包证书。Use these steps to package certificates for new Azure Stack Hub PKI certificates using manual steps.

导入证书Import the certificate

  1. 从所选 CA 获取的原始证书版本复制到部署主机上的目录。Copy the original certificate versions obtained from your CA of choice into a directory on the deployment host.

    警告

    如果已以任何方式导入、导出或更改直接由 CA 提供的文件,请勿复制该文件。Don't copy files that have already been imported, exported, or altered in any way from the files provided directly by the CA.

  2. 右键单击证书并选择“安装证书”或“安装PFX”,具体取决于从 CA 传送证书的方式。Right-click on the certificate and select Install Certificate or Install PFX, depending on how the certificate was delivered from your CA.

  3. 证书导入向导 中,选择“本地计算机”作为导入位置。In the Certificate Import Wizard, select Local Machine as the import location. 选择“下一步” 。Select Next. 在下一个屏幕上,再次选择“下一步”。On the following screen, select next again.

    证书的本地计算机导入位置

  4. 选择“将所有证书放在以下存储中”,然后选择“企业信任”作为位置。Choose Place all certificate in the following store and then select Enterprise Trust as the location. 选择“确定”以关闭“证书存储选择”对话框,然后选择“下一步”。Select OK to close the certificate store selection dialog box and then select Next.

    配置用于证书导入的证书存储

    a.a. 如果要导入 PFX,则会看到其他对话框。If you're importing a PFX, you'll be presented with an additional dialog. 在“私钥保护”页上,输入证书文件的密码,然后启用“将此密钥标记为可导出。” On the Private key protection page, enter the password for your certificate files and then enable the Mark this key as exportable. 选项,这样就可在以后备份或传输密钥。option, allowing you to back up or transport your keys later. 选择“下一步” 。Select Next.

    将密钥标记为可导出

  5. 选择“完成”以完成导入。Select Finish to complete the import.

备注

导入 Azure Stack Hub 的证书后,证书的私钥将作为 PKCS 12 文件 (PFX) 存储在群集存储上。After you import a certificate for Azure Stack Hub, the private key of the certificate is stored as a PKCS 12 file (PFX) on clustered storage.

导出证书Export the certificate

打开证书管理员 MMC 控制台并连接到本地计算机证书存储。Open Certificate Manager MMC console and connect to the Local Machine certificate store.

  1. 打开 Microsoft 管理控制台。Open the Microsoft Management Console. 若要在 Windows 10 中打开控制台,请右键单击“开始”菜单,选择“运行”,然后键入“mmc”并按 Enter 键 。To open the console in Windows 10, right-click on the Start Menu, select Run, then type mmc and press enter.

  2. 选择“文件” > “添加/删除管理单元”,然后选择“证书”并选择“添加”。Select File > Add/Remove Snap-In, then select Certificates and select Add.

    在 Microsoft 管理控制台中添加证书管理单元

  3. 选择“计算机帐户”,然后选择“下一步”。Select Computer account, then select Next. 选择“本地计算机”,然后选择“完成”。Select Local computer and then Finish. 选择“确定”以关闭“添加/删除管理单元”页。Select OK to close the Add/Remove Snap-In page.

    选择与“在 Microsoft 管理控制台中添加证书管理单元”相对应的帐户

  4. 浏览到“证书” > “企业信任” > “证书位置”。Browse to Certificates > Enterprise Trust > Certificate location. 确认在右侧看到你的证书。Verify that you see your certificate on the right.

  5. 从证书管理员控制台任务栏中,选择“操作” > “所有任务” > “导出”。From the Certificate Manager Console taskbar, select Actions > All Tasks > Export. 选择“下一步” 。Select Next.

    备注

    根据你拥有 Azure Stack Hub 证书的数量,可能需要多次完成此过程。Depending on how many Azure Stack Hub certificates you have, you may need to complete this process more than once.

  6. 选择“是,导出私钥”,然后选择“下一步” 。Select Yes, Export the Private Key, and then select Next.

  7. 在“导出文件格式”部分执行以下操作:In the Export File Format section:

    • 选择“包括证书路径中的所有证书(如果可能)”。Select Include all certificates in the certificate if possible.

    • 选择“导出所有扩展属性”。Select Export all Extended Properties.

    • 选择“启用证书隐私”。Select Enable certificate privacy.

    • 选择“下一页”。Select Next.

      包含选定选项的证书导出向导

  8. 选择“密码”并为证书提供密码。Select Password and provide a password for the certificates. 创建满足以下密码复杂性要求的密码:Create a password that meets the following password complexity requirements:

    • 最小长度为 8 个字符。A minimum length of eight characters.
    • 至少包含以下字符中的三种字符:大写字母、小写字母、0-9 中的数字、特殊字符、不是大写也不是小写的字母字符。At least three of the following characters: uppercase letter, lowercase letter, numbers from 0-9, special characters, alphabetical character that's not uppercase or lowercase.

    记下此密码。Make note of this password. 需将它用作部署参数。You'll use it as a deployment parameter.

  9. 选择“下一步”。Select Next.

  10. 选择要导出的 PFX 文件的文件名和位置。Choose a file name and location for the PFX file to export. 选择“下一步”。Select Next.

  11. 选择“完成”。Select Finish.

后续步骤Next steps

验证 PKI 证书Validate PKI certificates