Use public / trusted certificates for your Azure Stack Development Kit

In this blogpost I am explaining how to use your own certificates for your Azure Stack installation. This can be either certificates provided by your own enterprise CA or even a public trusted multi-wildcard certificate.

A later blog post will describe how to get Azure Stack Development toolkit installed on either your enterprise network or directly on the internet with a custom domain name.

Let’s get started. To provide basic IaaS and core Azure Stack functionality a multi-wildcard certificate is required that contains these record names:
*.blob.[RegionName].[ExternalDomainFQDN],
*.queue.[RegionName].[ExternalDomainFQDN],
*.table.[RegionName].[ExternalDomainFQDN],
adminportal.[RegionName].[ExternalDomainFQDN],
adminmanagement.[RegionName].[ExternalDomainFQDN],
management.[RegionName].[ExternalDomainFQDN],
*.vault.[RegionName].[ExternalDomainFQDN],
*.adminvault.[RegionName].[ExternalDomainFQDN],
portal.[RegionName].[ExternalDomainFQDN]

For ADFS scenario’s you need 2 more names:
adfs.[RegionName].[ExternalDomainFQDN]
graph.[RegionName].[ExternalDomainFQDN]

All names i requested in a single wildcard certificate as shown below:clip_image001

The directory C:\CloudDeployment\Setup\Certificates contains 2 folders that are named AAD and ADFS. Depending on the scenario (AAD vs ADFS) a PFX certificate that contains the certificate chain needs to reside in each subfolder. For an Azure Active Directory installation, all PFX certificates are placed in the folders below the AAD subfolder. For ADFS installations they can be placed in the ADFS subfolders. Make sure the password for PFX is the same as the local Administrator password.

Let’s assume you want to expose just the current names that are used in the Azure Stack Development Kit, that is the following:
Region Name: “local”
FQDN: “AzureStack.External”

This means that the default Azure Stack installation files are used without changing anything else. The advantage is that within your enterprise or organisation you can request certificates that are trusted by clients who connect to their Azure Stack environment via VPN or using the script Ruud has made available on TechNet.

If you do wish to change the region name and the FQDN for your deployment I recommend to run in PowerShell this command:

Then type in the password for the local Administrator. When the popup credential appears to sign in AAD, cancel that. Navigate to the C:\CloudDeployment\Setup and open the DeploySingleNode.ps1 file. Change on line 86 & 89 the values $regionName and $externalDomainSuffix variable:

clip_image002

Now kickoff the installation again by running InstallAzureStackPOC.ps1 again and wait for it to finish. In the end, result of the installation is this:

clip_image003

The next blogpost will describe how to install Azure Stack in your own enterprise network or connect it directly up to the internet.

Spread the word. Share this post!