验证 Azure Stack Hub PKI 证书Validate Azure Stack Hub PKI certificates
可从 PowerShell 库获取本文所述的 Azure Stack Hub 就绪性检查器工具。The Azure Stack Hub Readiness Checker tool described in this article is available from the PowerShell Gallery. 使用该工具可以验证生成的公钥基础结构 (PKI) 证书是否适用于前期部署。Use the tool to validate that generated public key infrastructure (PKI) certificates are suitable for pre-deployment. 请留出足够的时间来验证证书,以测试证书并在必要时重新颁发证书。Validate certificates by leaving enough time to test and reissue certificates if necessary.
就绪性检查器工具执行以下证书验证:The Readiness Checker tool performs the following certificate validations:
- 分析 PFXParse PFX
检查 PFX 文件是否有效且密码正确,以及公开的信息是否受密码保护。Checks for valid PFX file, correct password, and whether the public information is protected by the password. - 到期日期Expiry Date
检查最短有效期是否为 7 天。Checks for minimum validity of seven days. - 签名算法Signature algorithm
检查签名算法是否不是 SHA1。Checks that the signature algorithm isn't SHA1. - 私钥Private Key
检查私钥是否存在,并且已连同“本地计算机”属性一起导出。Checks that the private key is present and is exported with the local machine attribute. - 证书链Cert chain
检查证书链是否完整,包括自签名证书。Checks certificate chain is intact including a check for self-signed certificates. - DNS 名称DNS names
检查 SAN 是否包含每个终结点的相关 DNS 名称,或支持性的通配符是否存在。Checks the SAN contains relevant DNS names for each endpoint or if a supporting wildcard is present. - 密钥用法Key usage
检查密钥用法是否包含数字签名和密钥加密,并检查增强型密钥用法是否包含服务器身份验证和客户端身份验证。Checks if the key usage contains a digital signature and key encipherment and checks if enhanced key usage contains server authentication and client authentication. - 密钥大小Key size
检查密钥大小是否为 2048 或更大。Checks if the key size is 2048 or larger. - 链序Chain order
检查其他证书的顺序,验证顺序是否正确。Checks the order of the other certificates validating that the order is correct. - 其他证书Other certificates
确保除了相关叶证书及其链以外,PFX 中未打包其他证书。Ensure no other certificates have been packaged in PFX other than the relevant leaf certificate and its chain.
重要
PKI 证书是一个 PFX 文件,其密码应被视为敏感信息。The PKI certificate is a PFX file and password should be treated as sensitive information.
先决条件Prerequisites
在验证用于 Azure Stack Hub 部署的 PKI 证书之前,系统应符合以下先决条件:Your system should meet the following prerequisites before validating PKI certificates for an Azure Stack Hub deployment:
- Azure Stack Hub 就绪性检查器。Azure Stack Hub Readiness Checker.
- 按照准备说明导出的 SSL 证书。SSL Certificate(s) exported following the preparation instructions.
- DeploymentData.json。DeploymentData.json.
- Windows 10 或 Windows Server 2016。Windows 10 or Windows Server 2016.
执行核心服务证书验证Perform core services certificate validation
使用以下步骤来验证用于部署和机密轮换的 Azure Stack Hub PKI 证书:Use these steps to validate the Azure Stack Hub PKI certificates for deployment and secret rotation:
在 PowerShell 提示符(5.1 或更高版本)下,运行以下 cmdlet 安装 AzsReadinessChecker:Install AzsReadinessChecker from a PowerShell prompt (5.1 or above) by running the following cmdlet:
Install-Module Microsoft.AzureStack.ReadinessChecker -Force -AllowPrerelease创建证书目录结构。Create the certificate directory structure. 在以下示例中,可将
<C:\Certificates\Deployment>更改为所选的新目录路径。In the example below, you can change<C:\Certificates\Deployment>to a new directory path of your choice.New-Item C:\Certificates\Deployment -ItemType Directory $directories = 'ACSBlob', 'ACSQueue', 'ACSTable', 'Admin Extension Host', 'Admin Portal', 'ARM Admin', 'ARM Public', 'KeyVault', 'KeyVaultInternal', 'Public Extension Host', 'Public Portal' $destination = 'C:\Certificates\Deployment' $directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force}备注
如果使用 AD FS 作为标识系统,则需要 AD FS 和 Graph。AD FS and Graph are required if you're using AD FS as your identity system. 例如:For example:
$directories = 'ACSBlob', 'ACSQueue', 'ACSTable', 'ADFS', 'Admin Extension Host', 'Admin Portal', 'ARM Admin', 'ARM Public', 'Graph', 'KeyVault', 'KeyVaultInternal', 'Public Extension Host', 'Public Portal'- 将证书放入上一步骤中创建的相应目录。Place your certificate(s) in the appropriate directories created in the previous step. 例如:For example:
C:\Certificates\Deployment\ACSBlob\CustomerCertificate.pfxC:\Certificates\Deployment\Admin Portal\CustomerCertificate.pfxC:\Certificates\Deployment\ARM Admin\CustomerCertificate.pfx
- 将证书放入上一步骤中创建的相应目录。Place your certificate(s) in the appropriate directories created in the previous step. 例如:For example:
在 PowerShell 窗口中,更改
RegionName、FQDN和IdentitySystem的值使其适合 Azure Stack Hub 环境,然后运行以下 cmdlet:In the PowerShell window, change the values ofRegionName,FQDNandIdentitySystemappropriate to the Azure Stack Hub environment and run the following cmdlet:$pfxPassword = Read-Host -Prompt "Enter PFX Password" -AsSecureString Invoke-AzsHubDeploymentCertificateValidation -CertificatePath C:\Certificates\Deployment -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com -IdentitySystem AAD检查输出,确保所有证书通过所有测试。Check the output and ensure that all certificates pass all tests. 例如:For example:
Invoke-AzsHubDeploymentCertificateValidation v1.2005.1286.272 started. Testing: KeyVaultInternal\KeyVaultInternal.pfx Thumbprint: E86699****************************4617D6 PFX Encryption: OK Expiry Date: OK Signature Algorithm: OK DNS Names: OK Key Usage: OK Key Length: OK Parse PFX: OK Private Key: OK Cert Chain: OK Chain Order: OK Other Certificates: OK Testing: ARM Public\ARMPublic.pfx Thumbprint: 8DC4D9****************************69DBAA PFX Encryption: OK Expiry Date: OK Signature Algorithm: OK DNS Names: OK Key Usage: OK Key Length: OK Parse PFX: OK Private Key: OK Cert Chain: OK Chain Order: OK Other Certificates: OK Testing: Admin Portal\AdminPortal.pfx Thumbprint: 6F9055****************************4AC0EA PFX Encryption: OK Expiry Date: OK Signature Algorithm: OK DNS Names: OK Key Usage: OK Key Length: OK Parse PFX: OK Private Key: OK Cert Chain: OK Chain Order: OK Other Certificates: OK Testing: Public Portal\PublicPortal.pfx Log location (contains PII): C:\Users\[*redacted*]\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log Report location (contains PII): C:\Users\[*redacted*]\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json Invoke-AzsHubDeploymentCertificateValidation Completed若要验证其他 Azure Stack Hub 服务的证书,请更改
-CertificateType的值。To validate certificates for other Azure Stack Hub services, change the value for-CertificateType. 例如:For example:# App Services Invoke-AzsHubAppServicesCertificateValidation -CertificatePath C:\Certificates\AppServices -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com # DBAdapter Invoke-AzsHubDBAdapterCertificateValidation -CertificatePath C:\Certificates\DBAdapter -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com # EventHubs Invoke-AzsHubEventHubsCertificateValidation -CertificatePath C:\Certificates\EventHubs -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com # IoTHub Invoke-AzsHubIoTHubCertificateValidation -CertificatePath C:\Certificates\IoTHub -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com每个文件夹应包含一个与证书类型对应的 PFX 文件。Each folder should contain a single PFX file for the certificate type. 如果某个证书类型具有多证书要求,则预期每个证书都有一个嵌套的文件夹,这些文件夹的名称区分大小写。If a certificate type has multi-certificate requirements, nested folders for each individual certificate are expected and name-sensitive. 以下代码显示了所有证书类型的示例文件夹/证书结构,以及
-CertificateType和-CertificatePath的相应值。The following code shows an example folder/certificate structure for all certificate types, and the appropriate value for-CertificateTypeand-CertificatePath.C:\>tree c:\SecretStore /A /F Folder PATH listing Volume serial number is 85AE-DF2E C:\SECRETSTORE \---AzureStack +---CertificateRequests \---Certificates +---AppServices # Invoke-AzsCertificateValidation ` | +---API # -CertificateType AppServices ` | | api.pfx # -CertificatePath C:\Certificates\AppServices | | | +---DefaultDomain | | wappsvc.pfx | | | +---Identity | | sso.pfx | | | \---Publishing | ftp.pfx | +---DBAdapter # Invoke-AzsCertificateValidation ` | dbadapter.pfx # -CertificateType DBAdapter ` | # -CertificatePath C:\Certificates\DBAdapter | +---Deployment # Invoke-AzsCertificateValidation ` | +---ACSBlob # -CertificateType Deployment ` | | acsblob.pfx # -CertificatePath C:\Certificates\Deployment | | | +---ACSQueue | | acsqueue.pfx ./. ./. ./. ./. ./. ./. ./. <- Deployment certificate tree trimmed. | \---Public Portal | portal.pfx | +---EventHubs # Invoke-AzsCertificateValidation ` | eventhubs.pfx # -CertificateType EventHubs ` | # -CertificatePath C:\Certificates\EventHubs | \---IoTHub # Invoke-AzsCertificateValidation ` iothub.pfx # -CertificateType IoTHub ` # -CertificatePath C:\Certificates\IoTHub
已知问题Known issues
症状:跳过了测试Symptom: Tests are skipped
原因: 如果不符合依赖关系,AzsReadinessChecker 会跳过某些测试:Cause: AzsReadinessChecker skips certain tests if a dependency isn't met:
如果证书链出错,则会跳过其他证书。Other certificates are skipped if certificate chain fails.
Testing: ACSBlob\singlewildcard.pfx Read PFX: OK Signature Algorithm: OK Private Key: OK Cert Chain: OK DNS Names: Fail Key Usage: OK Key Size: OK Chain Order: OK Other Certificates: Skipped Details: The certificate records '*.east.azurestack.contoso.com' do not contain a record that is valid for '*.blob.east.azurestack.contoso.com'. Please refer to the documentation for how to create the required certificate file. The Other Certificates check was skipped because Cert Chain and/or DNS Names failed. Follow the guidance to remediate those issues and recheck. Log location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessChecker.log Report location (contains PII): C:\Users\username\AppData\Local\Temp\AzsReadinessChecker\AzsReadinessCheckerReport.json Invoke-AzsCertificateValidation Completed
解决方法:遵循针对每个证书的每组测试下的详细信息部分中的工具指导。Resolution: Follow the tool's guidance in the details section under each set of tests for each certificate.
症状:尽管已将 HTTP CDP 写入 x509 扩展,HTTP CRL 检查仍失败。Symptom: HTTP CRL Checking fails despite having an HTTP CDP written to x509 extensions.
原因: 目前,AzsReadinessChecker 无法以某些语言检查 HTTP CDP。Cause: Currently, AzsReadinessChecker can't check for HTTP CDP in some languages.
解决方法:将 OS 语言设置为 EN-US,然后运行验证。Resolution: Run validation with OS language set to EN-US.
证书Certificates
| DirectoryDirectory | 证书Certificate |
|---|---|
| ACSBlobACSBlob | wildcard_blob_<region>_<externalFQDN> |
| ACSQueueACSQueue | wildcard_queue_<region>_<externalFQDN> |
| ACSTableACSTable | wildcard_table_<region>_<externalFQDN> |
| 管理扩展主机Admin Extension Host | wildcard_adminhosting_<region>_<externalFQDN> |
| 管理门户Admin Portal | adminportal_<region>_<externalFQDN> |
| ARM AdminARM Admin | adminmanagement_<region>_<externalFQDN> |
| ARM PublicARM Public | management_<region>_<externalFQDN> |
| KeyVaultKeyVault | wildcard_vault_<region>_<externalFQDN> |
| KeyVaultInternalKeyVaultInternal | wildcard_adminvault_<region>_<externalFQDN> |
| 公共扩展主机Public Extension Host | wildcard_hosting_<region>_<externalFQDN> |
| 公共门户Public Portal | portal_<region>_<externalFQDN> |
使用已验证的证书Using validated certificates
AzsReadinessChecker 验证证书后,便可在 Azure Stack Hub 部署中使用这些证书,或者将其用于 Azure Stack Hub 机密轮换。Once your certificates are validated by the AzsReadinessChecker, you're ready to use them in your Azure Stack Hub deployment or for Azure Stack Hub secret rotation.
- 对于部署,请根据 Azure Stack Hub PKI 要求文档中的规定,安全地将证书传送给部署工程师,使他们能够将其复制到部署主机。For deployment, securely transfer your certificates to your deployment engineer so that they can copy them onto the deployment host as specified in the Azure Stack Hub PKI requirements documentation.
- 对于机密轮换,可以遵循 Azure Stack Hub 机密轮换文档,使用这些证书来更新 Azure Stack Hub 环境公共基础结构终结点的旧证书。For secret rotation, you can use the certificates to update old certificates for your Azure Stack Hub environment's public infrastructure endpoints by following the Azure Stack Hub Secret Rotation documentation.
- 对于 PaaS 服务,可以按照在 Azure Stack Hub 中提供服务概述文档,使用证书在 Azure Stack Hub 中安装 SQL、MySQL 和应用程序服务资源提供程序。For PaaS services, you can use the certificates to install SQL, MySQL, and App Services Resource Providers in Azure Stack Hub by following the Overview of offering services in Azure Stack Hub documentation.