Using AzsReadinessChecker To Generate Certificate Signing Request for Azure Stack

My experience with Azure Stack until recently has all been around the ASDK (Azure Stack Development Toolkit).  Recently we received our first multi-node Azure Stack from our Partner and OEM Dell EMC.  My next few blogs are more than likely going to focus on my experiences and lessons learned around our integration and configuration of our first 4 node integrated system.

As with all the previous blogs I really want to point out that your best source of information for Azure Stack is the Microsoft Documentation.  That team does some great work at keeping those documents updated and relevant.  This blog is no different.

https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-get-pki-certs

This was a simple process even for someone like me that hardly ever deals with PKI certificates.

Here is the PowerShell Script that I used in order to generate the CSR that our Public CA vendor will use to create the needed certificates.

Install-Module Microsoft.AzureStack.ReadinessChecker
$subjectHash = [ordered]@{"OU"="AzureStack";"O"="Turner Cloud";"L"="Kerens";"ST"="Texas";"C"="US"}
$outputDirectory = "C:\AzureStackCSR"
$regionName = 'texas'
$externalFQDN = 'azurestack.turner.cloud'
#Generate Single Certificate request with multiple Subject Alternantive Names including PaaS services:
Start-AzsReadinessChecker -RegionName $regionName -FQDN $externalFQDN -Subject $subjectHash -RequestType SingleCSR -OutputRequestPath $outputDirectory -IncludePaaS -IdentitySystem AAD

I would like to point out that currently, the Microsoft Documentation doesn’t include the parameter -IdentitySystem in their examples.  The values available are AAD or ADFS. It was reported and hopefully, by the time I publish this blog, it will be added.

You may also need to use the -Force parameter if the Microsoft.AzureStack.ReadinessChecker Module isn’t current. If you don’t it will not continue and actually suggest you and the -Force to the end of Install-Module Microsoft.AzureStack.ReadinessChecker

For example:

Install-Module Microsoft.AzureStack.ReadinessChecker -Force

The $subjectHash variable is more informational.  This I learned by actually asking smarter people.  :)

$subjectHash = [ordered]@{“OU”=”AzureStack”;”O”=”Turner Cloud”;”L”=”Kerens”;”ST”=”Texas”;”C”=”US”}

OU –  a description of something like a department or a team responsible.
O  –  Is your Organization or Company.
L  –  This is the location of your organization.
ST –  The State of your organization.
C  –  The Country of your organization.

For some people that is all pretty self-explanatory.  Some of us it took a few clicks here and there to find out.

The $OutputDirectory is just the location that the script dumps the files it creates

$outputDirectory = "C:\AzureStackCSR"

The $RegionName is the Region that you will use with your current Stack.  For instance, East, or CentralUS, etc.

$regionName = ‘texas’

The $externalFQDN is the FQDN for your external domain.  For example, I put added a subdomain to my external domain.  So my entire domain for my tenant portal at this point would be https://portal.texas.azurestack.turner.cloud

$externalFQDN = ‘azurestack.turner.cloud’

The next line actually takes all the above variables and runs the Start-AzsReadinessChecker.

Start-AzsReadinessChecker -RegionName $regionName -FQDN $externalFQDN -Subject $subjectHash -RequestType SingleCSR -OutputRequestPath $outputDirectory -IncludePaaS -IdentitySystem AAD

As I mentioned above you will need to add the parameter -IdentitySystem and choose either AAD or ADFS depending on which Identity you will be using for your Stack.

Also, there are two other important things to mention.

-IncludePaaS will include the needed PaaS solution certifications in the CSR.  I do need to double check and I will update this blog or my next with the information.  I did read someplace that the following endpoints can’t be included in a wildcard and needs their own dedicated certificate:

api.appservice.texas.azurestack.turner.cloud
ftp.appservice.texas.azurestack.turner.cloud
sso.appservice.texas.azurestack.turner.cloud

Also, if you want to produce a single CSR the parameter -RequestType value will be SingleCSR.  If you want to have multiple CSR’s for each certificate you will need to change that value to MultipleCSR.

Run the PowerShell script and you should see the following results:

For the SingleCSR:

SingleCSR

In your AzureStackCSR directory, you will now have a REQ file that you can import into your Public Cert vendor.

portal_texas_azurestack_turner_cloud_CertRequest_20180502164100.req

For the MultipleCSR:

MultipuleCSR

In your AzureStackCSR directory, you will now have multiple REQ files that you can import into your Public Cert vendor.

CSR Files

At this point, you now have the needed CSR’s to take to your Public CA supplier.

 

 

Part II and Part III I will talk about Preparing the PKI Certificates and also Validating those PKI Certificates using the same AzsReadinessChecker tool provided by Microsoft.

Tagged with: , , ,
Posted in Azure Stack
2 comments on “Using AzsReadinessChecker To Generate Certificate Signing Request for Azure Stack
  1. […] my previous blog post yesterday, Using AzsReadinessChecker To Generate Certificate Signing Request for Azure Stack I showed how to use the AzSReadinessChecker tool provided by Microsoft to create a CSR that you […]

    Like

  2. […] one of my previous blogs “Using AzsReadinessChecker To Generate Certificate Signing Request for Azure Stack,” we used the Azure Stack Readiness Checker to generate certificates that we then took to our […]

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Follow Kristopher Jon Turner on WordPress.com
Categories
Archives
Follow me on Twitter
%d bloggers like this: