为 Azure 中的应用程序配置 TLSConfiguring TLS for an application in Azure

传输层安全性 (TLS) 以前称为安全套接字层 (SSL) 加密,是用于保护通过 Internet 发送的数据的最常见方法。Transport Layer Security (TLS), previously known as Secure Socket Layer (SSL) encryption, is the most commonly used method of securing data sent across the internet. 此常见任务讨论了如何为 Web 角色指定 HTTPS 终结点以及如何上传 TLS/SSL 证书来保护应用程序。This common task discusses how to specify an HTTPS endpoint for a web role and how to upload a TLS/SSL certificate to secure your application.

备注

此任务中的过程适用于 Azure 云服务;对于应用服务,请参阅此文章The procedures in this task apply to Azure Cloud Services; for App Services, see this.

此任务使用生产部署。This task uses a production deployment. 本主题的末尾提供了有关如何使用过渡部署的信息。Information on using a staging deployment is provided at the end of this topic.

如果尚未创建云服务,请首先阅读此文章Read this first if you have not yet created a cloud service.

步骤 1:获取 TLS/SSL 证书Step 1: Get a TLS/SSL certificate

若要为应用程序配置 TLS,首先需要获取已由证书颁发机构 (CA)(出于此目的颁发证书的受信任的第三方)签署的 TLS/SSL 证书。To configure TLS for an application, you first need to get a TLS/SSL certificate that has been signed by a Certificate Authority (CA), a trusted third party who issues certificates for this purpose. 如果尚未获取 TLS/SSL 证书,需要从销售 TLS/SSL 证书的公司购买一个 TLS/SSL 证书。If you do not already have one, you need to obtain one from a company that sells TLS/SSL certificates.

该证书必须满足 Azure 中的以下 TLS/SSL 证书要求:The certificate must meet the following requirements for TLS/SSL certificates in Azure:

  • 证书必须包含公钥。The certificate must contain a public key.
  • 必须为密钥交换创建证书,并且该证书可导出到个人信息交换 (.pfx) 文件。The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.
  • 证书的使用者名称必须与用于访问云服务的域匹配。The certificate's subject name must match the domain used to access the cloud service. 无法从证书颁发机构 (CA) 处获取针对 chinacloudapp.cn 域的 TLS/SSL 证书。You cannot obtain a TLS/SSL certificate from a certificate authority (CA) for the chinacloudapp.cn domain. 必须获取在访问服务时要使用的自定义域名。You must acquire a custom domain name to use when access your service. 在从 CA 请求证书时,该证书的使用者名称必须与用于访问应用程序的自定义域名匹配。When you request a certificate from a CA, the certificate's subject name must match the custom domain name used to access your application. 例如,如果自定义域名为 contoso.com,则续从 CA 请求用于 *.contoso.com 或 www.contoso.com 的证书。For example, if your custom domain name is contoso.com you would request a certificate from your CA for *.contoso.com or www.contoso.com.
  • 该证书必须使用至少 2048 位加密。The certificate must use a minimum of 2048-bit encryption.

出于测试目的,可以创建和使用自签名的证书。For test purposes, you can create and use a self-signed certificate. 自签名证书不通过 CA 进行身份验证,并且可以使用 chinacloudapp.cn 域作为网站 URL。A self-signed certificate is not authenticated through a CA and can use the chinacloudapp.cn domain as the website URL. 例如,以下任务使用公用名 (CN) 为 sslexample.chinacloudapp.cn 的自签名证书。For example, the following task uses a self-signed certificate in which the common name (CN) used in the certificate is sslexample.chinacloudapp.cn.

接下来,必须在服务定义和服务配置文件中包含有关此证书的信息。Next, you must include information about the certificate in your service definition and service configuration files.

步骤 2:修改服务定义和配置文件Step 2: Modify the service definition and configuration files

必须将应用程序配置为使用该证书,并且必须添加 HTTPS 终结点。Your application must be configured to use the certificate, and an HTTPS endpoint must be added. 因此,需要更新服务定义和服务配置文件。As a result, the service definition and service configuration files need to be updated.

  1. 在开发环境中,打开服务定义文件 (CSDEF),在 WebRole 部分中添加“证书”部分,并包含以下关于证书(和中间证书)的信息:In your development environment, open the service definition file (CSDEF), add a Certificates section within the WebRole section, and include the following information about the certificate (and intermediate certificates):

     <WebRole name="CertificateTesting" vmsize="Small">
     ...
         <Certificates>
             <Certificate name="SampleCertificate"
                         storeLocation="LocalMachine"
                         storeName="My"
                         permissionLevel="limitedOrElevated" />
             <!-- IMPORTANT! Unless your certificate is either
             self-signed or signed directly by the CA root, you
             must include all the intermediate certificates
             here. You must list them here, even if they are
             not bound to any endpoints. Failing to list any of
             the intermediate certificates may cause hard-to-reproduce
             interoperability problems on some clients.-->
             <Certificate name="CAForSampleCertificate"
                         storeLocation="LocalMachine"
                         storeName="CA"
                         permissionLevel="limitedOrElevated" />
         </Certificates>
     ...
     </WebRole>
    

    Certificates 节定义了证书的名称、位置及其所在存储的名称。The Certificates section defines the name of our certificate, its location, and the name of the store where it is located.

    权限(permissionLevel 属性)可以设置为下列值之一:Permissions (permissionLevel attribute) can be set to one of the following values:

    权限值Permission Value 说明Description
    limitedOrElevatedlimitedOrElevated (默认)所有角色进程都可以访问该私钥。(Default) All role processes can access the private key.
    提升的elevated 仅提升的进程可以访问该私钥。Only elevated processes can access the private key.
  2. 在服务定义文件中,在“终结点”部分中添加 InputEndpoint 元素以启用 HTTPS:In your service definition file, add an InputEndpoint element within the Endpoints section to enable HTTPS:

     <WebRole name="CertificateTesting" vmsize="Small">
     ...
         <Endpoints>
             <InputEndpoint name="HttpsIn" protocol="https" port="443"
                 certificate="SampleCertificate" />
         </Endpoints>
     ...
     </WebRole>
    
  3. 在服务定义文件中,在 Sites 节中添加 Binding 元素。In your service definition file, add a Binding element within the Sites section. 此元素添加 HTTPS 绑定以将终结点映射到站点:This element adds an HTTPS binding to map the endpoint to your site:

     <WebRole name="CertificateTesting" vmsize="Small">
     ...
         <Sites>
             <Site name="Web">
                 <Bindings>
                     <Binding name="HttpsIn" endpointName="HttpsIn" />
                 </Bindings>
             </Site>
         </Sites>
     ...
     </WebRole>
    

    对服务定义文件进行的所有必需更改已完成,但还需要将证书信息添加到服务配置文件中。All the required changes to the service definition file have been completed; but, you still need to add the certificate information to the service configuration file.

  4. 在服务配置文件 (CSCFG) ServiceConfiguration.Cloud.cscfg 中,添加 Certificates 值并为其指定你的证书值。In your service configuration file (CSCFG), ServiceConfiguration.Cloud.cscfg, add a Certificates value with that of your certificate. 以下代码示例提供 Certificates 节的详细信息,但指纹值除外。The following code sample provides details of the Certificates section, except for the thumbprint value.

     <Role name="Deployment">
     ...
         <Certificates>
             <Certificate name="SampleCertificate"
                 thumbprint="9427befa18ec6865a9ebdc79d4c38de50e6316ff"
                 thumbprintAlgorithm="sha1" />
             <Certificate name="CAForSampleCertificate"
                 thumbprint="79d4c38de50e6316ff9427befa18ec6865a9ebdc"
                 thumbprintAlgorithm="sha1" />
         </Certificates>
     ...
     </Role>
    

(此示例将 sha1 用作指纹算法。(This example uses sha1 for the thumbprint algorithm. 请为证书的指纹算法指定相应值。)Specify the appropriate value for your certificate's thumbprint algorithm.)

现在已更新服务定义和服务配置文件,请打包部署以上传到 Azure。Now that the service definition and service configuration files have been updated, package your deployment for uploading to Azure. 如果使用的是 cspack,请勿使用 /generateConfigurationFile 标志,因为这将覆盖刚刚插入的证书信息。If you are using cspack, don't use the /generateConfigurationFile flag, as that will overwrite the certificate information you just inserted.

步骤 3:上传证书Step 3: Upload a certificate

连接到 Azure 门户并...Connect to the Azure portal and...

  1. 在门户的“所有资源”部分中,选择你的云服务。In the All resources section of the Portal, select your cloud service.

    发布云服务

  2. 单击“证书”。Click Certificates.

    单击证书图标

  3. 单击证书区域顶部的“上传”。Click Upload at the top of the certificates area.

    单击“上传”菜单项

  4. 指定“文件”、“密码”,然后单击数据输入区域底部的“上传”。 Provide the File, Password, then click Upload at the bottom of the data entry area.

步骤 4:使用 HTTPS 连接到角色实例Step 4: Connect to the role instance by using HTTPS

在 Azure 中启动并运行部署后,便可以使用 HTTPS 连接到该部署。Now that your deployment is up and running in Azure, you can connect to it using HTTPS.

  1. 单击“站点 URL”打开 Web 浏览器。Click the Site URL to open up the web browser.

    单击“站点 URL”

  2. 在 Web 浏览器中,修改链接以使用 https 而不是 http,然后访问该页。In your web browser, modify the link to use https instead of http, and then visit the page.

    备注

    如果使用自签名证书,浏览到与自签名证书关联的 HTTPS 终结点时,浏览器中可能会显示一个证书错误。If you are using a self-signed certificate, when you browse to an HTTPS endpoint that's associated with the self-signed certificate you may see a certificate error in the browser. 使用由受信任证书颁发机构签名的证书可消除此问题;同时,你可以忽略此错误。Using a certificate signed by a trusted certification authority eliminates this problem; in the meantime, you can ignore the error. (也可以将自签名证书添加到用户的受信任证书颁发机构证书存储中。)(Another option is to add the self-signed certificate to the user's trusted certificate authority certificate store.)

    站点预览

    提示

    若要对过渡部署而非生产部署使用 TLS,首先需要确定用于过渡部署的 URL。If you want to use TLS for a staging deployment instead of a production deployment, you'll first need to determine the URL used for the staging deployment. 一旦部署了你的云服务,则过渡环境的 URL 由“部署 ID”GUID 决定,其格式为:https://deployment-id.chinacloudapp.cn/Once your cloud service has been deployed, the URL to the staging environment is determined by the Deployment ID GUID in this format: https://deployment-id.chinacloudapp.cn/

    使用与基于 GUID 的 URL(例如 328187776e774ceda8fc57609d404462.chinacloudapp.cn)等同的公用名 (CN) 创建证书。Create a certificate with the common name (CN) equal to the GUID-based URL (for example, 328187776e774ceda8fc57609d404462.chinacloudapp.cn). 使用门户将证书添加到过渡云服务。Use the portal to add the certificate to your staged cloud service. 然后,将证书信息添加到 CSDEF 和 CSCFG 文件,重新打包应用程序,并更新过渡部署以使用新的程序包。Then, add the certificate information to your CSDEF and CSCFG files, repackage your application, and update your staged deployment to use the new package.

后续步骤Next steps