Microsoft Azure Stack Hub has a public infrastructure network that contains the externally accessible or public IP addresses that are assigned to a small set of Azure Stack Hub services, with the remainder used by the tenant VMs. Provide certificates with the appropriate DNS names for these Azure Stack Hub public infrastructure endpoints.
There are some certificate restrictions in the current Azure Stack Hub version. The certificate requirements for deploying Azure Stack Hub are:
- Certificates must be issued from either an internal certificate authority or a public certificate authority. If a public certificate authority is used, it must be included in the base operating-system image as part of the Microsoft Trusted Root Authority Program. For the full list, see TechNet Microsoft Trusted Root Certificate Program: Participants.
- Your Azure Stack Hub infrastructure must have network access to the certificate authority Certificate Revocation List (CRL) location published in the certificate. This CRL must be an HTTP endpoint.
- When you rotate certificates, certificates must be either issued from the same internal certificate authority that is used to sign certificates that are provided at deployment or any public certificate authority from the CRL.
- The certificate can be a single wildcard certificate covering all name spaces in the Subject Alternative Name (SAN) field. Alternatively, you can use individual certificates using wildcards for endpoints, such as ACS and Key Vault, where they are required.
- The certificate signature algorithm cannot be SHA1; it must be stronger.
- The certificate format must be PFX, because both the public and private keys are required for an Azure Stack Hub installation.
- The certificate PFX files must have the values Digital Signature and KeyEncipherment in the Key Usage field.
- The certificate PFX files must have the values Server Authentication (18.104.22.168.22.214.171.124.1) and Client Authentication (126.96.36.199.188.8.131.52.2) in the Enhanced Key Usage field.
- The certificate Issued to: field must not be the same as its Issued by: field.
- The passwords to all certificate PFX files must be the same at the time of deployment.
- The password for the certificate PFX must be a complex password.
- The subject names and subject alternative names in the SAN extension (x509v3_config) must match. The subject alternative names field enables you to specify additional host names (websites, IP addresses, common names) that are to be protected by a single SSL certificate.
Note: The use of self-signed certificates is not supported. Instead, the presence of intermediary certificate authorities in a certificate chain-of-trust is supported.