教程:在 Azure 中使用 Key Vault 中存储的 SSL 证书保护 Windows 虚拟机上的 Web 服务器Tutorial: Secure a web server on a Windows virtual machine in Azure with SSL certificates stored in Key Vault

若要保护 Web 服务器,可以使用安全套接字层 (SSL) 证书来加密 Web 流量。To secure web servers, a Secure Sockets Layer (SSL) certificate can be used to encrypt web traffic. 这些 SSL 证书可存储在 Azure Key Vault 中,并可安全部署到 Azure 中的 Windows 虚拟机 (VM)。These SSL certificates can be stored in Azure Key Vault, and allow secure deployments of certificates to Windows virtual machines (VMs) in Azure. 本教程介绍如何执行下列操作:In this tutorial you learn how to:

  • 创建 Azure Key VaultCreate an Azure Key Vault
  • 生成证书或将其上传到 Key VaultGenerate or upload a certificate to the Key Vault
  • 创建 VM 并安装 IIS Web 服务器Create a VM and install the IIS web server
  • 将证书注入 VM 并使用 SSL 绑定配置 IISInject the certificate into the VM and configure IIS with an SSL binding

启动 Azure PowerShellLaunch Azure PowerShell

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块This article has been updated to use the new Azure PowerShell Az module. AzureRM 将继续获取关键的 bug 修复更新,但新功能将只出现在 Az 模块中。AzureRM will continue to get critical bugfix updates, but new features will be in the Az module only.

  • 若要在本地安装 Az 模块,请参阅安装 Azure PowerShellTo install the Az module locally, see Install Azure PowerShell.
  • 如果在本地安装 Az 模块,可通过运行 Enable-AzureRmAlias 来启用 AzureRM 兼容性。If you install the Az module locally, you can enable the AzureRM compatibility by running Enable-AzureRmAlias.

概述Overview

Azure Key Vault 保护加密密钥和机密、此类证书或密码。Azure Key Vault safeguards cryptographic keys and secrets, such certificates or passwords. Key Vault 有助于简化证书管理过程,让我们持续掌控用于访问这些证书的密钥。Key Vault helps streamline the certificate management process and enables you to maintain control of keys that access those certificates. 可以在 Key Vault 中创建自签名证书,或者上传已拥有的现有受信任证书。You can create a self-signed certificate inside Key Vault, or upload an existing, trusted certificate that you already own.

无需使用包含植入证书的自定义 VM 映像,而可将证书直接注入正在运行的 VM。Rather than using a custom VM image that includes certificates baked-in, you inject certificates into a running VM. 此过程可确保在部署过程中,在 Web 服务器上安装最新的证书。This process ensures that the most up-to-date certificates are installed on a web server during deployment. 如果续订或替换了证书,也不需要创建新的自定义 VM 映像。If you renew or replace a certificate, you don't also have to create a new custom VM image. 创建附加的 VM 时,会自动注入最新证书。The latest certificates are automatically injected as you create additional VMs. 在整个过程中,证书永远不会离开 Azure 平台,也不会在脚本、命令行历史记录或模板中公开。During the whole process, the certificates never leave the Azure platform or are exposed in a script, command-line history, or template.

创建 Azure Key VaultCreate an Azure Key Vault

创建 Key Vault 和证书之前,需使用 New-AzResourceGroup 创建资源组。Before you can create a Key Vault and certificates, create a resource group with New-AzResourceGroup. 以下示例在“中国东部” 位置创建名为 myResourceGroupSecureWeb 的资源组:The following example creates a resource group named myResourceGroupSecureWeb in the China East location:

$resourceGroup = "myResourceGroupSecureWeb"
$location = "China East"
New-AzResourceGroup -ResourceGroupName $resourceGroup -Location $location

接下来,使用 New-AzureRmKeyVault 创建 Key Vault。Next, create a Key Vault with New-AzureRmKeyVault. 每个 Key Vault 均需具备唯一名称且全部小写。Each Key Vault requires a unique name, and should be all lower case. 将下例中的 mykeyvault 替换为自己唯一的 Key Vault 名称:Replace mykeyvault in the following example with your own unique Key Vault name:

$keyvaultName="mykeyvault"
New-AzKeyVault -VaultName $keyvaultName `
    -ResourceGroup $resourceGroup `
    -Location $location `
    -EnabledForDeployment

生成证书并存储在 Key Vault 中Generate a certificate and store in Key Vault

针对生产用途,应使用 Import-AzKeyVaultCertificate 导入由受信任提供程序签名的有效证书。For production use, you should import a valid certificate signed by trusted provider with Import-AzKeyVaultCertificate. 在本教程中,以下示例演示了如何使用 Add-AzKeyVaultCertificate 生成一个自签名证书,该证书使用 New-AzKeyVaultCertificatePolicy 指定的默认证书策略。For this tutorial, the following example shows how you can generate a self-signed certificate with Add-AzKeyVaultCertificate that uses the default certificate policy from New-AzKeyVaultCertificatePolicy.

$policy = New-AzureKeyVaultCertificatePolicy `
    -SubjectName "CN=www.contoso.com" `
    -SecretContentType "application/x-pkcs12" `
    -IssuerName Self `
    -ValidityInMonths 12

Add-AzureKeyVaultCertificate `
    -VaultName $keyvaultName `
    -Name "mycert" `
    -CertificatePolicy $policy 

创建虚拟机Create a virtual machine

使用 Get-Credential 设置 VM 的管理员用户名和密码:Set an administrator username and password for the VM with Get-Credential:

$cred = Get-Credential

现在,可使用 New-AzVM 创建 VM。Now you can create the VM with New-AzVM. 以下示例在“ChinaEast”位置 创建一个名为 myVM 的 VM。The following example creates a VM named myVM in the ChinaEast location. 如果支持的网络资源不存在,则会创建这些资源。If they do not already exist, the supporting network resources are created. 此 cmdlet 还打开端口 443,目的是允许安全的 Web 流量。To allow secure web traffic, the cmdlet also opens port 443.

# Create a VM
New-AzVm `
    -ResourceGroupName $resourceGroup `
    -Name "myVM" `
    -Location $location `
    -VirtualNetworkName "myVnet" `
    -SubnetName "mySubnet" `
    -SecurityGroupName "myNetworkSecurityGroup" `
    -PublicIpAddressName "myPublicIpAddress" `
    -Credential $cred `
    -OpenPorts 443

# Use the Custom Script Extension to install IIS
Set-AzVMExtension -ResourceGroupName $resourceGroup `
    -ExtensionName "IIS" `
    -VMName "myVM" `
    -Location $location `
    -Publisher "Microsoft.Compute" `
    -ExtensionType "CustomScriptExtension" `
    -TypeHandlerVersion 1.8 `
    -SettingString '{"commandToExecute":"powershell Add-WindowsFeature Web-Server -IncludeManagementTools"}'

创建 VM 需要几分钟时间。It takes a few minutes for the VM to be created. 最后一个步骤通过 Set-AzVmExtension 使用 Azure 自定义脚本扩展来安装 IIS Web 服务器。The last step uses the Azure Custom Script Extension to install the IIS web server with Set-AzVmExtension.

将 Key Vault 中的证书添加到 VMAdd a certificate to VM from Key Vault

若要将 Key Vault 中的证书添加到 VM,请使用 Get-AzKeyVaultSecret 获取证书的 ID。To add the certificate from Key Vault to a VM, obtain the ID of your certificate with Get-AzKeyVaultSecret. 使用 Add-AzVMSecret 将证书添加到 VM:Add the certificate to the VM with Add-AzVMSecret:

$certURL=(Get-AzureKeyVaultSecret -VaultName $keyvaultName -Name "mycert").id

$vm=Get-AzVM -ResourceGroupName $resourceGroup -Name "myVM"
$vaultId=(Get-AzKeyVault -ResourceGroupName $resourceGroup -VaultName $keyVaultName).ResourceId
$vm = Add-AzVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore "My" -CertificateUrl $certURL

Update-AzVM -ResourceGroupName $resourceGroup -VM $vm

将 IIS 配置为使用该证书Configure IIS to use the certificate

再次通过 Set-AzVMExtension 使用自定义脚本扩展来更新 IIS 配置。Use the Custom Script Extension again with Set-AzVMExtension to update the IIS configuration. 此项更新会应用从 Key Vault 注入 IIS 的证书,并配置 Web 绑定:This update applies the certificate injected from Key Vault to IIS and configures the web binding:

$PublicSettings = '{
    "fileUris":["https://raw.githubusercontent.com/Azure-Samples/compute-automation-configurations/master/secure-iis.ps1"],
    "commandToExecute":"powershell -ExecutionPolicy Unrestricted -File secure-iis.ps1"
}'

Set-AzVMExtension -ResourceGroupName $resourceGroup `
    -ExtensionName "IIS" `
    -VMName "myVM" `
    -Location $location `
    -Publisher "Microsoft.Compute" `
    -ExtensionType "CustomScriptExtension" `
    -TypeHandlerVersion 1.8 `
    -SettingString $publicSettings

测试 Web 应用是否安全Test the secure web app

使用 Get-AzPublicIPAddress 获取 VM 的公共 IP 地址。Obtain the public IP address of your VM with Get-AzPublicIPAddress. 以下示例获取前面创建的 myPublicIP 的 IP 地址:The following example obtains the IP address for myPublicIP created earlier:

Get-AzPublicIPAddress -ResourceGroupName $resourceGroup -Name "myPublicIPAddress" | select "IpAddress"

现可打开 Web 浏览器,并在地址栏中输入 https://<myPublicIP>Now you can open a web browser and enter https://<myPublicIP> in the address bar. 若要接受有关使用自签名证书的安全警告,请依次选择“详细信息”和“继续转到网页”: To accept the security warning if you used a self-signed certificate, select Details and then Go on to the webpage:

接受 Web 浏览器安全警告

随即显示受保护的 IIS 网站,如下例所示:Your secured IIS website is then displayed as in the following example:

查看运行中的安全 IIS 站点

后续步骤Next steps

本教程已介绍如何使用 Azure Key Vault 中存储的 SSL 证书保护 IIS Web 服务器。In this tutorial, you secured an IIS web server with an SSL certificate stored in Azure Key Vault. 你已了解如何:You learned how to:

  • 创建 Azure Key VaultCreate an Azure Key Vault
  • 生成证书或将其上传到 Key VaultGenerate or upload a certificate to the Key Vault
  • 创建 VM 并安装 IIS Web 服务器Create a VM and install the IIS web server
  • 将证书注入 VM 并使用 SSL 绑定配置 IISInject the certificate into the VM and configure IIS with an SSL binding

请访问以下链接,查看预先生成的虚拟机脚本示例。Follow this link to see pre-built virtual machine script samples.