将群集从证书指纹更改为公用名称Change cluster from certificate thumbprint to common name

两个证书不能具有相同的指纹,具有相同的指纹会使群集证书滚动更新或管理变得困难。No two certificates can have the same thumbprint, which makes cluster certificate rollover or management difficult. 但是,多个证书可以具有相同的公用名称或使用者。Multiple certificates, however, can have the same common name or subject. 将已部署的群集从使用证书指纹切换为使用证书公用名称会使证书管理更加简单。Switching a deployed cluster from using certificate thumbprints to using certificate common names makes certificate management much simpler. 本文介绍了如何将正在运行的 Service Fabric 群集更新为使用证书公用名称而非证书指纹。This article describes how to update a running Service Fabric cluster to use the certificate common name instead of the certificate thumbprint.

Note

如果在模板中声明了两个指纹,则需要执行两次部署。If you have two thumbprint's declared in your template, you need to perform two deployments. 第一次部署是在执行本文中的步骤之前完成的。The first deployment is done before following the steps in this article. 第一次部署将模板中的“指纹”属性设置为正在使用的证书,并删除“thumbprintSecondary”属性。The first deployment sets your thumbprint property in the template to the certificate being used and removes the thumbprintSecondary property. 对于第二次部署,请按照本文中的步骤操作。For the second deployment, follow the steps in this article.

获取证书Get a certificate

首先,从证书颁发机构 (CA) 获取证书。First, get a certificate from a certificate authority (CA). 证书的公用名称应当是群集的主机名。The common name of the certificate should be the host name of the cluster. 例如,“myclustername.chinaeast.cloudapp.chinacloudapi.cn”。For example, "myclustername.chinaeast.cloudapp.chinacloudapi.cn".

对于测试用途,可以从免费或开放的证书颁发机构获取由 CA 签名的证书。For testing purposes, you could get a CA signed certificate from a free or open certificate authority.

Note

不支持自签名证书,包括在 Azure 门户中部署 Service Fabric 群集时生成的证书。Self-signed certificates, including those generated when deploying a Service Fabric cluster in the Azure portal, are not supported.

上传证书并将其安装在规模集中Upload the certificate and install it in the scale set

在 Azure 中,Service Fabric 群集部署在虚拟机规模集上。In Azure, a Service Fabric cluster is deployed on a virtual machine scale set. 将证书上传到密钥保管库,然后将其安装在运行群集的虚拟机规模集上。Upload the certificate to a key vault and then install it on the virtual machine scale set that the cluster is running on.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force

$SubscriptionId  =  "<subscription ID>"

# Sign in to your Azure account and select your subscription
Login-AzureRmAccount -Environment AzureChinaCloud -SubscriptionId $SubscriptionId

$region = "chinaeast"
$KeyVaultResourceGroupName  = "mykeyvaultgroup"
$VaultName = "mykeyvault"
$certFilename = "C:\users\sfuser\myclustercert.pfx"
$certname = "myclustercert"
$Password  = "P@ssw0rd!123"
$VmssResourceGroupName     = "myclustergroup"
$VmssName                  = "prnninnxj"

# Create new Resource Group 
New-AzureRmResourceGroup -Name $KeyVaultResourceGroupName -Location $region

# Create the new key vault
$newKeyVault = New-AzureRmKeyVault -VaultName $VaultName -ResourceGroupName $KeyVaultResourceGroupName `
    -Location $region -EnabledForDeployment 
$resourceId = $newKeyVault.ResourceId 

# Add the certificate to the key vault.
$PasswordSec = ConvertTo-SecureString -String $Password -AsPlainText -Force
$KVSecret = Import-AzureKeyVaultCertificate -VaultName $vaultName -Name $certName `
    -FilePath $certFilename -Password $PasswordSec

$CertificateThumbprint = $KVSecret.Thumbprint
$CertificateURL = $KVSecret.SecretId
$SourceVault = $resourceId
$CommName    = $KVSecret.Certificate.SubjectName.Name

Write-Host "CertificateThumbprint    :"  $CertificateThumbprint
Write-Host "CertificateURL           :"  $CertificateURL
Write-Host "SourceVault              :"  $SourceVault
Write-Host "Common Name              :"  $CommName    

Set-StrictMode -Version 3
$ErrorActionPreference = "Stop"

$certConfig = New-AzureRmVmssVaultCertificateConfig -CertificateUrl $CertificateURL -CertificateStore "My"

# Get current VM scale set 
$vmss = Get-AzureRmVmss -ResourceGroupName $VmssResourceGroupName -VMScaleSetName $VmssName

# Add new secret to the VM scale set.
$vmss = Add-AzureRmVmssSecret -VirtualMachineScaleSet $vmss -SourceVaultId $SourceVault `
    -VaultCertificate $certConfig

# Update the VM scale set 
Update-AzureRmVmss -ResourceGroupName $VmssResourceGroupName -Verbose `
    -Name $VmssName -VirtualMachineScaleSet $vmss 

Note

规模集机密不支持对两个不同的机密使用相同的资源 ID,因为每个机密都是带有版本的唯一资源。Scale set secrets do not support the same resource ID for two separate secrets, as each secret is a versioned, unique resource.

从门户中下载并更新模板Download and update the template from the portal

证书已安装在基础规模集上,但还需要将 Service Fabric 群集更新为使用该证书及其公用名称。The certificate has been installed on the underlying scale set, but you also need to update the Service Fabric cluster to use that certificate and its common name. 现在,为群集部署下载模板。Now, download the template for your cluster deployment. 登录到 Azure 门户并导航到承载着群集的资源组。Log in to the Azure portal and navigate to the resource group hosting the cluster. 在“设置”中,选择“部署”。In Settings, select Deployments. 选择最新部署并单击“查看模板”。Select the most recent deployment and click View template.

查看模板

将模板和参数 JSON 文件下载到本地计算机。Download the template and parameters JSON files to your local computer.

首先,在文本编辑器中打开参数文件并添加以下参数值:First, open the parameters file in a text editor and add the following parameter value:

"certificateCommonName": {
    "value": "myclustername.chinaeast.cloudapp.chinacloudapi.cn"
},

接下来,在文本编辑器中打开模板文件并进行三项更新以支持证书公用名称。Next, open the template file in a text editor and make three updates to support certificate common name.

  1. parameters 部分中,添加 certificateCommonName 参数:In the parameters section, add a certificateCommonName parameter:

    "certificateCommonName": {
        "type": "string",
        "metadata": {
            "description": "Certificate Commonname"
        }
    },
    

    另请考虑删除 certificateThumbprint,可能不再需要此项。Also consider removing the certificateThumbprint, it may no longer be needed.

  2. Microsoft.Compute/virtualMachineScaleSets 资源中,更新虚拟机扩展以在证书设置中使用公用名称而非指纹。In the Microsoft.Compute/virtualMachineScaleSets resource, update the virtual machine extension to use the common name in certificate settings instead of the thumbprint. 在“virtualMachineProfile”->“extensionProfile”->“扩展”->“属性”->“设置”->“证书”中,添加 "commonNames": ["[parameters('certificateCommonName')]"], 并删除 "thumbprint": "[parameters('certificateThumbprint')]",In virtualMachineProfile->extensionProfile->extensions->properties->settings->certificate, add "commonNames": ["[parameters('certificateCommonName')]"], and remove "thumbprint": "[parameters('certificateThumbprint')]",.

        "virtualMachineProfile": {
        "extensionProfile": {
            "extensions": [
                {
                    "name": "[concat('ServiceFabricNodeVmExt','_vmNodeType0Name')]",
                    "properties": {
                        "type": "ServiceFabricNode",
                        "autoUpgradeMinorVersion": true,
                        "protectedSettings": {
                            "StorageAccountKey1": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key1]",
                            "StorageAccountKey2": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('supportLogStorageAccountName')),'2015-05-01-preview').key2]"
                        },
                        "publisher": "Microsoft.Azure.ServiceFabric",
                        "settings": {
                            "clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]",
                            "nodeTypeRef": "[variables('vmNodeType0Name')]",
                            "dataPath": "D:\\SvcFab",
                            "durabilityLevel": "Bronze",
                            "enableParallelJobs": true,
                            "nicPrefixOverride": "[variables('subnet0Prefix')]",
                            "certificate": {
                                "commonNames": [
                                    "[parameters('certificateCommonName')]"
                                ],
                                "x509StoreName": "[parameters('certificateStoreValue')]"
                            }
                        },
                        "typeHandlerVersion": "1.0"
                    }
                },
    
  3. Microsoft.ServiceFabric/clusters 资源中,将 API 版本更新为“2018-02-01”。In the Microsoft.ServiceFabric/clusters resource, update the API version to "2018-02-01". 另请添加包含 commonNames 属性的 certificateCommonNames 设置,并删除 certificate 设置(包含指纹属性),如以下示例中所示:Also add a certificateCommonNames setting with a commonNames property and remove the certificate setting (with the thumbprint property) as in the following example:

    {
        "apiVersion": "2018-02-01",
        "type": "Microsoft.ServiceFabric/clusters",
        "name": "[parameters('clusterName')]",
        "location": "[parameters('clusterLocation')]",
        "dependsOn": [
            "[concat('Microsoft.Storage/storageAccounts/', variables('supportLogStorageAccountName'))]"
        ],
        "properties": {
            "addonFeatures": [
                "DnsService",
                "RepairManager"
            ],
            "certificateCommonNames": {
                "commonNames": [
                    {
                        "certificateCommonName": "[parameters('certificateCommonName')]",
                        "certificateIssuerThumbprint": ""
                    }
                ],
                "x509StoreName": "[parameters('certificateStoreValue')]"
            },
        ...
    

部署已更新的模板Deploy the updated template

在进行更改后,重新部署已更新的模板。Redeploy the updated template after making the changes.

$groupname = "sfclustertutorialgroup"

New-AzureRmResourceGroupDeployment -ResourceGroupName $groupname -Verbose `
    -TemplateParameterFile "C:\temp\cluster\parameters.json" -TemplateFile "C:\temp\cluster\template.json" 

后续步骤Next steps