Your Browser is Out of Date

ShareDemos uses technology that works best in other browsers.
For a full experience use one of the browsers below
Concepts Guide—Dell EMC Integrated System for Microsoft Azure Stack Hub

view all chapters

Prerequisites
Environmental requirements Power distribution unit (PDU) power-drop requirements Azure connection, identity store, and billing-model decisions Choosing connection options and identity store Features that are impaired or unavailable in disconnected mode Required customer-provided security certificates Mandatory certificates Optional PaaS certificates Certificate requirements and validation License requirements Azure Stack Hub endpoints and customer port requirements

Mandatory certificates

  • The following table describes the Microsoft Azure Stack Hub public endpoint PKI certificates that are required for both AAD and ADFS Azure Stack Hub deployments. Certificate requirements are grouped by area, namespaces used, and the certificates that are required for each namespace. The table also describes the folder in which your solution provider copies the different certificates per public endpoint.

    Table 14.           Azure Stack Hub PKI certificate requirements (14G)

    Deployment folder

    Required certificate subject and SAN

    Scope
    (per region)

    Subdomain namespace

    Public Portal

    portal.<region>.<fqdn>

    Portals

    <region>.<fqdn>

    Admin Portal

    adminportal.<region>.<fqdn>

    Portals

    <region>.<fqdn>

    Azure Resource Manager Public

    management.<region>.<fqdn>

    Azure Resource Manager

    <region>.<fqdn>

    Azure Resource Manager Admin

    adminmanagement.<region>.<fqdn>

    Azure Resource Manager

    <region>.<fqdn>

    ACSBlob

    *.blob.<region>.<fqdn>

    (Wildcard SSL Certificate)

    Blob Storage

    blob.<region>.<fqdn>

    ACSTable

    *.table.<region>.<fqdn>

    (Wildcard SSL Certificate)

    Table Storage

    table.<region>.<fqdn>

    ACSQueue

    *.queue.<region>.<fqdn>

    (Wildcard SSL Certificate)

    Queue Storage

    queue.<region>.<fqdn>

    KeyVault

    *.vault.<region>.<fqdn>

    (Wildcard SSL Certificate)

    Key Vault

    vault.<region>.<fqdn>

    KeyVaultInternal

    *.adminvault.<region>.<fqdn>

    (Wildcard SSL Certificate)

    Internal Keyvault

    adminvault.<region>.<fqdn>

    Extension Host

    *.hosting.<region>.<fqdn>
    (Wildcard SSL Certificates)

    Extension Host

    hosting.<region>.<fqdn>

    *.adminhosting.<region>.<fqdn>
    (Wildcard SSL Certificates)

    Extension Host

    adminhosting. <region>.<fqdn>

    Use certificates with the appropriate DNS names for each Azure Stack Hub public infrastructure endpoint. Each endpoint DNS name is expressed in the following format: <prefix>.<region>.<fqdn>.

    For your deployment, the [region] and [externalfqdn] values must match the region and external domain names that you choose for your Azure Stack Hub system. For example, if the region name is “Redmond” and the external domain name is “company.com”, the DNS names have the format <prefix>.redmond.company.com. Microsoft predesignates the <prefix> values to describe the endpoint that is secured by the certificate. Also, the <prefix> values of the external infrastructure endpoints depend on the Azure Stack Hub service that uses the specific endpoint.

    Note: You can provide certificates as single wildcard certificates covering all name spaces in the Subject and SAN fields that are copied into all directories. You can also provide certificates as individual certificates for each endpoint copied into the corresponding directory. Both options require that you use wildcard certificates for endpoints, such as ACS and Key Vault, where they are required.

    For Azure Stack Hub environments on pre-1803 release versions, see the following table. If you deploy Azure Stack Hub using the AAD deployment mode, you only need to request the certificates listed.

    Table 15.           Azure Stack Hub PKI certificate requirements (13G)

    Deployment folder

    Required certificate subject and SAN

    Scope (per region)

    Subdomain namespace

    Public Portal

    portal.<region>.<fqdn>

    Portals

    <region>.<fqdn>

    Admin Portal

    adminportal.<region>.<fqdn>

    Portals

    <region>.<fqdn>

    Azure Resource Manager Public

    management.<region>.<fqdn>

    Azure Resource Manager

    <region>.<fqdn>

    Azure Resource Manager Admin

    adminmanagement.<region>.<fqdn>

    Azure Resource Manager

    <region>.<fqdn>

    ACS

    One multi-subdomain wildcard certificate with Subject Alternative names for:

    • *.blob.<region>.<fqdn>
    • *.queue.<region>.<fqdn>
    • *.table.<region>.<fqdn>

    Storage
    • blob.<region>.<fqdn>
    • table.<region>.<fqdn>
    • queue.<region>.<fqdn>

    KeyVault

    *.vault.<region>.<fqdn>

    (Wildcard SSL Certificate)

    Key Vault

    vault.<region>.<fqdn>

    KeyVaultInternal

    *.adminvault.<region>.<fqdn>

    (Wildcard SSL Certificate)

    Internal Keyvault

    adminvault.<region>.<fqdn>

    Note: The ACS certificate requires three wildcard SANs on a single certificate. Not all Public Certificate Authorities support multiple wildcard SANs on a single certificate.

    However, if you deploy Azure Stack Hub using the ADFS deployment mode, you must also request the certificates that are described in the following table.

    Table 16.           Azure Stack Hub PKI certificate requirements (13G) with ADFS deployment

    Deployment folder

    Required certificate subject and SAN

    Scope (per region)

    Subdomain namespace

    ADFS

    adfs.<region>.<fqdn>

    (SSL Certificate)

    ADFS

    <region>.<fqdn>

    Graph

    graph.<region>.<fqdn>

    (SSL Certificate)

    Graph

    <region>.<fqdn>