Use public / trusted certificates for your Azure Stack Development Kit

In this blogpost I am explaining how to use your own certificates for your Azure Stack installation. This can be either certificates provided by your own enterprise CA or even a public trusted multi-wildcard certificate.

A later blog post will describe how to get Azure Stack Development toolkit installed on either your enterprise network or directly on the internet with a custom domain name.

Let’s get started. To provide basic IaaS and core Azure Stack functionality a multi-wildcard certificate is required that contains these record names:
*.blob.[RegionName].[ExternalDomainFQDN],
*.queue.[RegionName].[ExternalDomainFQDN],
*.table.[RegionName].[ExternalDomainFQDN],
adminportal.[RegionName].[ExternalDomainFQDN],
adminmanagement.[RegionName].[ExternalDomainFQDN],
management.[RegionName].[ExternalDomainFQDN],
*.vault.[RegionName].[ExternalDomainFQDN],
*.adminvault.[RegionName].[ExternalDomainFQDN],
portal.[RegionName].[ExternalDomainFQDN]

For ADFS scenario’s you need 2 more names:
adfs.[RegionName].[ExternalDomainFQDN]
graph.[RegionName].[ExternalDomainFQDN]

All names i requested in a single wildcard certificate as shown below:clip_image001

The directory C:\CloudDeployment\Setup\Certificates contains 2 folders that are named AAD and ADFS. Depending on the scenario (AAD vs ADFS) a PFX certificate that contains the certificate chain needs to reside in each subfolder. For an Azure Active Directory installation, all PFX certificates are placed in the folders below the AAD subfolder. For ADFS installations they can be placed in the ADFS subfolders. Make sure the password for PFX is the same as the local Administrator password.

Let’s assume you want to expose just the current names that are used in the Azure Stack Development Kit, that is the following:
Region Name: “local”
FQDN: “AzureStack.External”

This means that the default Azure Stack installation files are used without changing anything else. The advantage is that within your enterprise or organisation you can request certificates that are trusted by clients who connect to their Azure Stack environment via VPN or using the script Ruud has made available on TechNet.

If you do wish to change the region name and the FQDN for your deployment I recommend to run in PowerShell this command:

Then type in the password for the local Administrator. When the popup credential appears to sign in AAD, cancel that. Navigate to the C:\CloudDeployment\Setup and open the DeploySingleNode.ps1 file. Change on line 86 & 89 the values $regionName and $externalDomainSuffix variable:

clip_image002

Now kickoff the installation again by running InstallAzureStackPOC.ps1 again and wait for it to finish. In the end, result of the installation is this:

clip_image003

The next blogpost will describe how to install Azure Stack in your own enterprise network or connect it directly up to the internet.

Spread the word. Share this post!

  • Hi Mark,
    Thanks for this article.
    I’ve the following error message when I add Wildcard SAN in Digicert:
    The Subject Alternative Name(s) (SANs) field contains a domain name with the * character and can only be used with a Wildcard Certificate.
    Any idea?
    Thanks.
    Florent

    • Mark Scholman

      You need to request each of them as a single wildcard certificate. Once issued, don’t download them.Then you need to open a support ticket to merge them. If you look at the folder structure, you might even want to separate the PFX per folder required names. Once the merge is done take the cert and use it for the installation

  • PaulCapper

    Hi Mark,
    Is there anyway we can install a certificate post installation? I have setup my environment with a custom domain name but obviously getting errors when we hit the management URL that the website is not trusted.
    regards,
    Paul

    • Mark Scholman

      Hi Paul, I haven’t done that, I will ask a community member, I recall he did something like that. DId you forgot to add a alias to the wildcard certificate or?

      • PaulCapper

        Hi Mark,

        I managed to get this partly working by competing CSRs for all the non wildcard SSLs via the administration portal all functionality is working however i am getting marketplace errors (saying that i cant connect) via the customer portal. I believe i may have damaged it during the application of certificates however because when i roll back i still receive the same error. I am going to rebuild the stack again and go with your method.

        let you know how it goes.

        Paul

  • Christian M

    Quote: “A later blog post will describe how to get Azure Stack Development toolkit installed on either your enterprise network or directly on the internet with a custom domain name”

    When are you planning to write or release this, looking so much forward to this…

    thanks,
    Christian

    • Mark Scholman

      Yup, my bad… going to work on it. Cannot commit myself to a date yet.

      • Christian M

        Awesome… no need of date…. just knowing it’s on it’s way is enough for me… keep up the nice work… 🙂