解决 Azure Stack Hub PKI 证书的常见问题Fix common issues with Azure Stack Hub PKI certificates

可以通过本文中的信息来了解并解决 Azure Stack Hub PKI 证书的常见问题。The information in this article helps you understand and resolve common issues with Azure Stack Hub PKI certificates. 使用 Azure Stack Hub 就绪性检查器工具验证 Azure Stack Hub PKI 证书时,可以发现问题。You can discover issues when you use the Azure Stack Hub Readiness Checker tool to validate Azure Stack Hub PKI certificates. 该工具先检查证书是否满足 Azure Stack Hub 部署和 Azure Stack Hub 机密轮换的 PKI 要求,然后将结果记录到 report.json 文件The tool checks if the certificates meet the PKI requirements of an Azure Stack Hub deployment and Azure Stack Hub secret rotation, and then logs the results to a report.json file.

PFX 加密PFX Encryption

问题 - PFX 加密不是 TripleDES-SHA1。Issue - PFX encryption isn't TripleDES-SHA1.

修复 - 使用 TripleDES-SHA1 加密导出 PFX 文件。Fix - Export PFX files with TripleDES-SHA1 encryption. 从证书管理单元导出时或使用 Export-PFXCertificate 时,这是针对所有 Windows 10 客户端的默认加密。This is the default encryption for all Windows 10 clients when exporting from certificate snap-in or using Export-PFXCertificate.

读取 PFXRead PFX

警告 - 密码仅保护证书中的私密信息。Warning - Password only protects the private information in the certificate.

修复 - 使用与“启用证书隐私”相对应的可选设置来导出 PFX 文件。 Fix - Export PFX files with the optional setting for Enable certificate privacy.

问题 - PFX 文件无效。Issue - PFX file invalid.

修复 - 使用准备用于部署的 Azure Stack Hub PKI 证书中的步骤重新导出证书。Fix - Re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment.

签名算法Signature algorithm

问题 - 签名算法为 SHA1。Issue - Signature algorithm is SHA1.

修复 - 执行“生成 Azure Stack Hub 证书签名请求”中的步骤,使用签名算法 SHA256 重新生成证书签名请求 (CSR)。Fix - Use the steps in Azure Stack Hub certificates signing request generation to regenerate the certificate signing request (CSR) with the signature algorithm of SHA256. 然后向证书颁发机构重新提交 CSR,要求其重新颁发证书。Then resubmit the CSR to the certificate authority to reissue the certificate.

私钥Private key

问题 - 私钥缺失或者不包含本地计算机属性。Issue - The private key is missing or doesn't contain the local machine attribute.

修复 - 在生成 CSR 的计算机中,使用准备用于部署的 Azure Stack Hub PKI 证书中的步骤重新导出证书。Fix - From the computer that generated the CSR, re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment. 这些步骤包括从本地计算机证书存储进行导出。These steps include exporting from the local machine certificate store.

证书链Certificate chain

问题 - 证书链不完整。Issue - Certificate chain isn't complete.

修复 - 证书应包含完整的证书链。Fix - Certificates should contain a complete certificate chain. 按照准备用于部署的 Azure Stack Hub PKI 证书中的步骤重新导出证书,选择“包括证书路径中的所有证书(如果可能)”选项。 Re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment and select the option Include all certificates in the certification path if possible.

DNS 名称DNS names

问题 - 证书上的 DNSNameList 不包含 Azure Stack Hub 服务终结点名称或有效的通配符匹配项。Issue - The DNSNameList on the certificate doesn't contain the Azure Stack Hub service endpoint name or a valid wildcard match. 通配符匹配项仅适用于 DNS 名称最左侧的命名空间。Wildcard matches are only valid for the left-most namespace of the DNS name. 例如,*.region.domain.com 仅对 portal.region.domain.com 有效,而对 *.table.region.domain.com 无效。For example, *.region.domain.com is only valid for portal.region.domain.com, not *.table.region.domain.com.

修复 - 执行“生成 Azure Stack Hub 证书签名请求”中的步骤,以便使用为 Azure Stack Hub 终结点提供支持所需的正确 DNS 名称重新生成 CSR。Fix - Use the steps in Azure Stack Hub certificates signing request generation to regenerate the CSR with the correct DNS names to support Azure Stack Hub endpoints. 将 CSR 重新提交到证书颁发机构。Resubmit the CSR to a certificate authority. 然后按照准备用于部署的 Azure Stack Hub PKI 证书中的步骤,从生成 CSR 的计算机导出证书。Then follow the steps in Prepare Azure Stack Hub PKI certificates for deployment to export the certificate from the machine that generated the CSR.

密钥使用情况Key usage

问题 - 密钥用法缺少数字签名或密钥加密,或者增强型密钥用法缺少服务器身份验证或客户端身份验证。Issue - Key usage is missing digital signature or key encipherment, or enhanced key usage is missing server authentication or client authentication.

修复 - 按照生成 Azure Stack Hub 证书签名请求中的步骤,使用正确的密钥用法属性重新生成 CSR。Fix - Use the steps in Azure Stack Hub certificates signing request generation to regenerate the CSR with the correct key usage attributes. 将 CSR 重新提交给证书颁发机构,并确认证书模板未覆盖请求中的密钥用法。Resubmit the CSR to the certificate authority and confirm that a certificate template isn't overwriting the key usage in the request.

密钥大小Key size

问题 - 密钥大小不到 2048。Issue - Key size is smaller than 2048.

修复 - 按照生成 Azure Stack Hub 证书签名请求中的步骤,使用正确的密钥长度 (2048) 重新生成 CSR,然后将 CSR 重新提交给证书颁发机构。Fix - Use the steps in Azure Stack Hub certificates signing request generation to regenerate the CSR with the correct key length (2048), and then resubmit the CSR to the certificate authority.

链序Chain order

问题 - 证书链的顺序不正确。Issue - The order of the certificate chain is incorrect.

修复 - 按照准备用于部署的 Azure Stack Hub PKI 证书中的步骤重新导出证书,选择“包括证书路径中的所有证书(如果可能)”选项。 Fix - Re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment and select the option Include all certificates in the certification path if possible. 确保仅选择分支证书进行导出。Ensure that only the leaf certificate is selected for export.

其他证书Other certificates

问题 - PFX 包包含的证书不是分支证书,或者不是证书链的一部分。Issue - The PFX package contains certificates that aren't the leaf certificate or part of the certificate chain.

修复 - 按照准备用于部署的 Azure Stack Hub PKI 证书中的步骤重新导出证书,选择“包括证书路径中的所有证书(如果可能)”选项。 Fix - Re-export the certificate using the steps in Prepare Azure Stack Hub PKI certificates for deployment, and select the option Include all certificates in the certification path if possible. 确保仅选择分支证书进行导出。Ensure that only the leaf certificate is selected for export.

修复常见的打包问题Fix common packaging issues

AzsReadinessChecker 工具包含名为 Repair-AzsPfxCertificate 的帮助程序 cmdlet,它可以通过导入和导出 PFX 文件来修复常见的打包问题,这些问题包括:The AzsReadinessChecker tool contains a helper cmdlet called Repair-AzsPfxCertificate, which can import and then export a PFX file to fix common packaging issues, including:

  • PFX 加密不是 TripleDES-SHA1。PFX encryption isn't TripleDES-SHA1.
  • 私钥缺少本地计算机属性。Private key is missing local machine attribute.
  • 证书链不完整或错误。Certificate chain is incomplete or wrong. 如果 PFX 包不包含证书链,则本地计算机必须包含。The local machine must contain the certificate chain if the PFX package doesn't.
  • 其他证书Other certificates

如果需要生成新的 CSR 并重新颁发证书,则 Repair-AzsPfxCertificate 无用。Repair-AzsPfxCertificate can't help if you need to generate a new CSR and reissue a certificate.

必备条件Prerequisites

在运行此工具的计算机上,必须满足以下先决条件:The following prerequisites must be in place on the computer on which the tool runs:

导入和导出现有的 PFX 文件Import and export an existing PFX File

  1. 在满足先决条件的计算机上,打开一个提升的 PowerShell 提示符,然后运行以下命令来安装 Azure Stack Hub 就绪性检查器:On a computer that meets the prerequisites, open an elevated PowerShell prompt, and then run the following command to install the Azure Stack Hub readiness checker:

    Install-Module Microsoft.AzureStack.ReadinessChecker -Force
    
  2. 在 PowerShell 提示符下,运行以下 cmdlet 来设置 PFX 密码。From the PowerShell prompt, run the following cmdlet to set the PFX password. 请将 PFXpassword 替换为实际密码:Replace PFXpassword with the actual password:

    $password = Read-Host -Prompt PFXpassword -AsSecureString
    
  3. 在 PowerShell 提示符下,运行以下命令来导出新的 PFX 文件:From the PowerShell prompt, run the following command to export a new PFX file:

    • 对于 -PfxPath,请指定要处理的 PFX 文件的路径。For -PfxPath, specify the path to the PFX file you're working with. 在以下示例中,路径为 .\certificates\ssl.pfxIn the following example, the path is .\certificates\ssl.pfx.
    • 对于 -ExportPFXPath,请指定要导出的 PFX 文件的位置和名称。For -ExportPFXPath, specify the location and name of the PFX file for export. 在以下示例中,路径为 .\certificates\ssl_new.pfxIn the following example, the path is .\certificates\ssl_new.pfx:
    Repair-AzsPfxCertificate -PfxPassword $password -PfxPath .\certificates\ssl.pfx -ExportPFXPath .\certificates\ssl_new.pfx
    
  4. 在工具完成相关操作后,查看成功后的输出:After the tool completes, review the output for success:

    Repair-AzsPfxCertificate v1.1809.1005.1 started.
    Starting Azure Stack Hub Certificate Import/Export
    Importing PFX .\certificates\ssl.pfx into Local Machine Store
    Exporting certificate to .\certificates\ssl_new.pfx
    Export complete. Removing certificate from the local machine store.
    Removal complete.
    Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log
    Repair-AzsPfxCertificate Completed
    

后续步骤Next steps