Use public / trusted certificates for your Azure Stack Development Kit

In this blogpost I am explaining how to use your own certificates for your Azure Stack installation. This can be either certificates provided by your own enterprise CA or even a public trusted multi-wildcard certificate.

A later blog post will describe how to get Azure Stack Development toolkit installed on either your enterprise network or directly on the internet with a custom domain name.

Let’s get started. To provide basic IaaS and core Azure Stack functionality a multi-wildcard certificate is required that contains these record names:
*.blob.[RegionName].[ExternalDomainFQDN],
*.queue.[RegionName].[ExternalDomainFQDN],
*.table.[RegionName].[ExternalDomainFQDN],
adminportal.[RegionName].[ExternalDomainFQDN],
adminmanagement.[RegionName].[ExternalDomainFQDN],
management.[RegionName].[ExternalDomainFQDN],
*.vault.[RegionName].[ExternalDomainFQDN],
*.adminvault.[RegionName].[ExternalDomainFQDN],
portal.[RegionName].[ExternalDomainFQDN]

For ADFS scenario’s you need 2 more names:
adfs.[RegionName].[ExternalDomainFQDN]
graph.[RegionName].[ExternalDomainFQDN]

All names i requested in a single wildcard certificate as shown below:clip_image001

The directory C:\CloudDeployment\Setup\Certificates contains 2 folders that are named AAD and ADFS. Depending on the scenario (AAD vs ADFS) a PFX certificate that contains the certificate chain needs to reside in each subfolder. For an Azure Active Directory installation, all PFX certificates are placed in the folders below the AAD subfolder. For ADFS installations they can be placed in the ADFS subfolders. Make sure the password for PFX is the same as the local Administrator password.

Let’s assume you want to expose just the current names that are used in the Azure Stack Development Kit, that is the following:
Region Name: “local”
FQDN: “AzureStack.External”

This means that the default Azure Stack installation files are used without changing anything else. The advantage is that within your enterprise or organisation you can request certificates that are trusted by clients who connect to their Azure Stack environment via VPN or using the script Ruud has made available on TechNet.

If you do wish to change the region name and the FQDN for your deployment I recommend to run in PowerShell this command:

Then type in the password for the local Administrator. When the popup credential appears to sign in AAD, cancel that. Navigate to the C:\CloudDeployment\Setup and open the DeploySingleNode.ps1 file. Change on line 86 & 89 the values $regionName and $externalDomainSuffix variable:

clip_image002

Now kickoff the installation again by running InstallAzureStackPOC.ps1 again and wait for it to finish. In the end, result of the installation is this:

clip_image003

The next blogpost will describe how to install Azure Stack in your own enterprise network or connect it directly up to the internet.

Spread the word. Share this post!

Mark Scholman

About the author

Mark is consultant at Inspark and a Cloud and Datacenter MVP. In his day to day job he is building clouds with Azure Stack, Azure Pack and Hyper-V.

LinkedIn: https://nl.linkedin.com/in/markscholman
Twitter: @markscholman
Github: https://github.com/markscholman

  • Hi Mark,
    Thanks for this article.
    I’ve the following error message when I add Wildcard SAN in Digicert:
    The Subject Alternative Name(s) (SANs) field contains a domain name with the * character and can only be used with a Wildcard Certificate.
    Any idea?
    Thanks.
    Florent

    • Mark Scholman

      You need to request each of them as a single wildcard certificate. Once issued, don’t download them.Then you need to open a support ticket to merge them. If you look at the folder structure, you might even want to separate the PFX per folder required names. Once the merge is done take the cert and use it for the installation