将应用程序证书添加到 Service Fabric 群集Add an application certificate to a Service Fabric cluster

此示例脚本演示如何在 Key Vault 中创建证书,然后将其部署到运行群集的虚拟机规模集之一。This sample script walks through how to create a certificate in Key Vault and then deploy it to one of the virtual machine scale sets your cluster runs on. 此方案不直接使用 Service Fabric,而是取决于 Key Vault 和虚拟机规模集。This scenario does not use Service Fabric directly, but rather depends on Key Vault and on virtual machine scale sets.

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

必要时,请使用 Azure PowerShell 指南中的说明安装 Azure PowerShell,并运行 Connect-AzAccount -Environment AzureChinaCloud 创建与 Azure 的连接。If needed, install the Azure PowerShell using the instruction found in the Azure PowerShell guide and then run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.

在 Key Vault 中创建证书Create a certificate in Key Vault

Connect-AzAccount -Environment AzureChinaCloud

$VaultName = ""
$CertName = ""
$SubjectName = "CN="

$policy = New-AzKeyVaultCertificatePolicy -SubjectName $SubjectName -IssuerName Self -ValidityInMonths 12
Add-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName -CertificatePolicy $policy

或将现有证书上传到 Key VaultOr upload an existing certificate into Key Vault

$VaultName= ""
$CertName= ""
$CertPassword= ""
$PathToPFX= ""

$bytes = [System.IO.File]::ReadAllBytes($PathToPFX)
$base64 = [System.Convert]::ToBase64String($bytes)
$jsonBlob = @{
   data = $base64
   dataType = 'pfx'
   password = $CertPassword
   } | ConvertTo-Json
$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)

$SecretValue = ConvertTo-SecureString -String $content -AsPlainText -Force

# Upload the certificate to the key vault as a secret
$Secret = Set-AzKeyVaultSecret -VaultName $VaultName -Name $CertName -SecretValue $SecretValue

通过证书更新虚拟机规模集配置文件Update virtual machine scale sets profile with certificate

$ResourceGroupName = ""
$VMSSName = ""
$CertStore = "My" # Update this with the store you want your certificate placed in, this is LocalMachine\My

# If you have added your certificate to the keyvault certificates, use
$CertConfig = New-AzVmssVaultCertificateConfig -CertificateUrl (Get-AzKeyVaultCertificate -VaultName $VaultName -Name $CertName).SecretId -CertificateStore $CertStore

# Otherwise, if you have added your certificate to the keyvault secrets, use
$CertConfig = New-AzVmssVaultCertificateConfig -CertificateUrl (Get-AzKeyVaultSecret -VaultName $VaultName -Name $CertName).Id -CertificateStore $CertStore

$VMSS = Get-AzVmss -ResourceGroupName $ResourceGroupName -VMScaleSetName $VMSSName

# If this KeyVault is already known by the virtual machine scale set, for example if the cluster certificate is deployed from this keyvault, use
$VMSS.virtualmachineprofile.osProfile.secrets[0].vaultCertificates.Add($CertConfig)

# Otherwise use
$VMSS = Add-AzVmssSecret -VirtualMachineScaleSet $VMSS -SourceVaultId (Get-AzKeyVault -VaultName $VaultName).ResourceId  -VaultCertificate $CertConfig

更新虚拟机规模集Update the virtual machine scale set

Update-AzVmss -ResourceGroupName $ResourceGroupName -VirtualMachineScaleSet $VMSS -VMScaleSetName $VMSSName

如果希望将证书放置在群集中的多个节点上,应针对每个应具有证书的节点类型重复此脚本的第二个和第三部分。If you would like the certificate placed on multiple node types in your cluster, the second and third parts of this script should be repeated for each node type that should have the certificate.

脚本说明Script explanation

此脚本使用以下命令:表中的每条命令均链接到特定于命令的文档。This script uses the following commands: Each command in the table links to command specific documentation.

CommandCommand 说明Notes
New-AzKeyVaultCertificatePolicyNew-AzKeyVaultCertificatePolicy 创建表示证书的内存中策略Creates an in-memory policy representing the certificate
Add-AzKeyVaultCertificateAdd-AzKeyVaultCertificate 将策略部署到 Key Vault 证书Deploys the policy to Key Vault Certificates
Set-AzKeyVaultSecretSet-AzKeyVaultSecret 将策略部署到 Key Vault 机密Deploys the policy to Key Vault Secrets
New-AzVmssVaultCertificateConfigNew-AzVmssVaultCertificateConfig 创建表示 VM 中证书的内存中配置Creates an in-memory config representing the certificate in a VM
Get-AzVmssGet-AzVmss
Add-AzVmssSecretAdd-AzVmssSecret 将证书添加到虚拟机规模集的内存中定义Adds the certificate to the in-memory definition of the virtual machine scale set
Update-AzVmssUpdate-AzVmss 部署虚拟机规模集的新定义Deploys the new definition of the virtual machine scale set

后续步骤Next steps

有关 Azure PowerShell 模块的详细信息,请参阅 Azure PowerShell 文档For more information on the Azure PowerShell module, see Azure PowerShell documentation.

可以在 Azure PowerShell 示例中找到 Azure Service Fabric 的其他 Azure Powershell 示例。Additional Azure Powershell samples for Azure Service Fabric can be found in the Azure PowerShell samples.