Preparing and Validating Azure Stack Certificates

In one of my previous blogs “Using AzsReadinessChecker To Generate Certificate Signing Request for Azure Stack,” we used the Azure Stack Readiness Checker to generate certificates that we then took to our Public Certificate Authority.  We now have our Certificates Issued and downloaded and are ready to move forward.


Reference Articles:

Certificate Requirements:

Generate PKI Certificates:

Preparing Azure Stack PKI Certificates:

Validating PKI Certificates:


Step I – Preparing The Azure Stack PKI Certificates

Importing Certificates:

The first thing we need to do is prepare the downloaded certificates for deployment.  I used DigiCert’s Certificate Utility for Windows for this process.  I will walk through the process within the Microsoft Documentation as well.  The only difference I noticed between DigiCert process and the documented process below is all of the certificates showed up in the Personal Certificate location and not in the Enterprise Trust location.

The Microsoft Documented process:

  1. Copy all 9 of the mandatory certificates obtained from my Certificate Authority to a directory on the same machine that was used to create the CSR’s.
  2. Install the certificate by right-clicking and selecting install.
  3. Select the Enterprise Trust store.
  4. Click Finish.

The DigiCert Utility Tool process:

  1.  First, download and install the Utility from DigiCert’s website.
  2. Next login using your DigiCert Account.  Check the Show completed orders box.  A listing of all your order certificates should show.
  3. Click Install next to one of your certificates.  The next prompt will verify that the CSR created early is on the current box and then install the certificate for you.
  4. Click the SSL icon and click Refresh.  You should now start seeing the certificates that you just installed.


Export The Certificates

Next, we need to export the certificates.  The DigiCert has a process as well to export but I went with the Microsoft Documentation for this step.

  1. Open the MMC and add the Certificates snap-in using Computer Account.
  2. Browse to either Enterprise Trust or Personal Certificate location.  Verify that the certificates are listed.
  3. Right-click the certificate, click on All Task, then select Export.  Click on Next.
  4. Select Yes, Export the Private Key and click on Next.
  5. Select Export all Extended Properties and click Next.
  6. Enter a Password and click Next.
    Note:  Make sure you use the same password for all certificates.
  7. Select a location you want to save the exported certificate.  Name the file name then Click Next.
  8. Click Finish and you have your new Certificate that will be validated later.  Repeat the process for the remaining certs.


Step II – Validating The PKI Certificates

Now we have all the certificates we need to validate them using the Azure Stack Readiness Checker.  This is the same tool that we created the CSR’s within my previous blog Using AzsReadinessChecker To Generate Certificate Signing Request for Azure Stack

The first step is to make sure you have the Readiness Checker installed.  That can be done by running the following PowerShell cmdlet:

Install-Module Microsoft.AzureStack.ReadinessChecker

Next, we will create the directory structure.  The following PowerShell script will do this for us.  I left mine in the default directory C:\Certificates.  This can be changed if needed within the script below:

New-Item C:\Certificates -ItemType Directory

$directories = ‘ACSBlob’,’ACSQueue’,’ACSTable’,’ADFS’,’Admin Portal’,’ARM Admin’,’ARM Public’,’Graph’,’KeyVault’,’KeyVaultInternal’,’Public Portal’

$destination = ‘c:\certificates’

$directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force}

You should get a result like this:

Mode LastWriteTime Length Name

—- ————- —— —-

d—– 5/4/2018 3:19 PM Certificates

Directory: C:\certificates

Mode LastWriteTime Length Name

—- ————- —— —-

d—– 5/4/2018 3:19 PM ACSBlob
d—– 5/4/2018 3:19 PM ACSQueue
d—– 5/4/2018 3:19 PM ACSTable
d—– 5/4/2018 3:19 PM ADFS
d—– 5/4/2018 3:19 PM Admin Portal
d—– 5/4/2018 3:19 PM ARM Admin
d—– 5/4/2018 3:19 PM ARM Public
d—– 5/4/2018 3:19 PM Graph
d—– 5/4/2018 3:19 PM KeyVault
d—– 5/4/2018 3:19 PM KeyVaultInternal
d—– 5/4/2018 3:19 PM Public Portal

Place the certificates that we created in the correct directories.

Note:  If you are using AAD for your Identity remove the Graph and ADFS folders from your folder structure.

Next, run the following PowerShell script to start the AzsReadinessChecker.  Make sure you change the -RegionName and -FQDN parameters to match what you have.

$pfxPassword = Read-Host -Prompt “Enter PFX Password” -AsSecureString

Start-AzsReadinessChecker -CertificatePath c:\certificates -pfxPassword $pfxPassword -RegionName texas -FQDN -IdentitySystem AAD

Your results should return something like this:



At this point, we are ready to hand over these certificates to Dell EMC our OEM and Partner so they can now deploy our multinode Azure Stack.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s