Note All certificates that are listed in this section must have the same password.
If you plan to deploy the additional Azure Stack Hub PaaS services (SQL, MySQL, and App Service) after Azure Stack Hub has been deployed and configured, you must request additional certificates to cover the endpoints of the PaaS services.
Note: The certificates that you use for SQL, MySQL, and App Service resource providers must have the same root authority as those certificates used for the global Azure Stack Hub endpoints.
The following table describes the endpoints and certificates that are required for the SQL and MySQL adapters and for App Service. You do not need to copy these certificates to the Azure Stack Hub deployment folder. Instead, provide these certificates when you install the additional resource providers.
Table 17. Certificates and endpoints for additional PaaS services
Certificate |
Scope |
Required certificate subject and SANs |
Subdomain namespace |
SQL and MySQL |
SQL, MySQL |
*.dbadapter.<region>.<fqdn> (Wildcard SSL Certificate) |
dbadapter.<region>.<fqdn> |
Web Traffic Default SSL Cert |
App Service |
*.appservice.<region>.<fqdn> *.scm.appservice.<region>.<fqdn> *.sso.appservice.<region>.<fqdn> (Multi Domain Wildcard SSL Certificate) |
appservice.<region>.<fqdn> scm.appservice.<region>.<fqdn> |
API |
App Service |
api.appservice.<region>.<fqdn> (SSL Certificate) |
appservice.<region>.<fqdn> scm.appservice.<region>.<fqdn> |
FTP |
App Service |
ftp.appservice.<region>.<fqdn> (SSL Certificate) |
appservice.<region>.<fqdn> scm.appservice.<region>.<fqdn> |
SSO |
App Service |
sso.appservice.<region>.<fqdn> (SSL Certificate) |
appservice.<region>.<fqdn> scm.appservice.<region>.<fqdn> |
Notes
Multi Domain Wildcard SSL Certificate—Requires one certificate with multiple wildcard SANs. Not all Public Certificate Authorities support multiple wildcard SANs on a single certificate.
SSL Certificate—An *.appservice.<region>.<fqdn> wildcard certificate cannot be used in place of the following certificates: (api.appservice.<region>.<fqdn>, ftp.appservice.<region>.<fqdn>, and sso.appservice.<region>.<fqdn>. Appservice explicitly requires the use of separate certificates for these endpoints.
For more information about the public key infrastructure (PKI) certificates that are required to deploy Azure Stack Hub and how to obtain them, see Azure Stack Hub public key infrastructure certificate requirements on the Microsoft website.