The following table describes the Microsoft Azure Stack Hub public endpoint PKI certificates that are required for both AAD and ADFS Azure Stack Hub deployments. Certificate requirements are grouped by area, namespaces used, and the certificates that are required for each namespace. The table also describes the folder in which your solution provider copies the different certificates per public endpoint.
Deployment folder | Required certificate subject and SAN | Scope (per region) | Subdomain namespace |
Public Portal | portal.<region>.<fqdn> | Portals | <region>.<fqdn> |
Admin Portal | adminportal.<region>.<fqdn> | Portals | <region>.<fqdn> |
Azure Resource Manager Public | management.<region>.<fqdn> | Azure Resource Manager | <region>.<fqdn> |
Azure Resource Manager Admin | adminmanagement.<region>.<fqdn> | Azure Resource Manager | <region>.<fqdn> |
ACSBlob | *.blob.<region>.<fqdn> (Wildcard SSL Certificate) | Blob Storage | blob.<region>.<fqdn> |
ACSTable | *.table.<region>.<fqdn> (Wildcard SSL Certificate) | Table Storage | table.<region>.<fqdn> |
ACSQueue | *.queue.<region>.<fqdn> (Wildcard SSL Certificate) | Queue Storage | queue.<region>.<fqdn> |
KeyVault | *.vault.<region>.<fqdn> (Wildcard SSL Certificate) | Key Vault | vault.<region>.<fqdn> |
KeyVaultInternal | *.adminvault.<region>.<fqdn> (Wildcard SSL Certificate) | Internal Keyvault | adminvault.<region>.<fqdn> |
Extension Host | *.hosting.<region>.<fqdn> (Wildcard SSL Certificates) | Extension Host | hosting.<region>.<fqdn> |
*.adminhosting.<region>.<fqdn> (Wildcard SSL Certificates) | Extension Host | adminhosting. <region>.<fqdn> |
Use certificates with the appropriate DNS names for each Azure Stack Hub public infrastructure endpoint. Each endpoint DNS name is expressed in the following format: <prefix>.<region>.<fqdn>.
For your deployment, the [region] and [externalfqdn] values must match the region and external domain names that you choose for your Azure Stack Hub system. For example, if the region name is “Redmond” and the external domain name is “company.com”, the DNS names have the format <prefix>.redmond.company.com. Microsoft predesignates the <prefix> values to describe the endpoint that is secured by the certificate. Also, the <prefix> values of the external infrastructure endpoints depend on the Azure Stack Hub service that uses the specific endpoint.
For Azure Stack Hub environments on pre-1803 release versions, see the following table. If you deploy Azure Stack Hub using the AAD deployment mode, you only need to request the certificates listed.
Deployment folder | Required certificate subject and SAN | Scope (per region) | Subdomain namespace |
Public Portal | portal.<region>.<fqdn> | Portals | <region>.<fqdn> |
Admin Portal | adminportal.<region>.<fqdn> | Portals | <region>.<fqdn> |
Azure Resource Manager Public | management.<region>.<fqdn> | Azure Resource Manager | <region>.<fqdn> |
Azure Resource Manager Admin | adminmanagement.<region>.<fqdn> | Azure Resource Manager | <region>.<fqdn> |
ACS | One multi-subdomain wildcard certificate with Subject Alternative names for: *.blob.<region>.<fqdn> *.queue.<region>.<fqdn> *.table.<region>.<fqdn> | Storage | blob.<region>.<fqdn> table.<region>.<fqdn> queue.<region>.<fqdn> |
KeyVault | *.vault.<region>.<fqdn> (Wildcard SSL Certificate) | Key Vault | vault.<region>.<fqdn> |
KeyVaultInternal | *.adminvault.<region>.<fqdn> (Wildcard SSL Certificate) | Internal Keyvault | adminvault.<region>.<fqdn> |
However, if you deploy Azure Stack Hub using the ADFS deployment mode, you must also request the certificates that are described in the following table.
Deployment folder | Required certificate subject and SAN | Scope (per region) | Subdomain namespace |
ADFS | adfs.<region>.<fqdn> (SSL Certificate) | ADFS | <region>.<fqdn> |
Graph | graph.<region>.<fqdn> (SSL Certificate) | Graph | <region>.<fqdn> |