This step 1 of 10 in the post-serie is an “How-To: How installing a secure Service Azure Fabric Cluster (ASF) with Azure Resource Management (ARM) Template” and run the ARM from Visual Studio Team Services (VSTS) in a CI/CD pipeline. In this step we are creating self signed certificates and import them with Powershell.
|Overview of the steps|
|01.||Create and import the certificates|
|02.||Register SF Application in AAD and create AppKey|
|03.||Generate encrypted AppKey|
|04.||Lookup the service principles|
|05.||Create the Key Vaults with ARM|
|06.||Adjust the SF Application settings|
|07.||Upload certificates to Key Vault|
|08.||Register the Service Fabric System Applications|
|09.||Install SF Cluster with ARM|
Step 01: Create self-signed certificaties and Importing certificates in your certificate store on your local computer
We need 2 certificates:
- SF Cluster certificate which is necessary to access the Explorer site of Service Fabric;
- Data Encipherment certificate which is necessary to encrypt de AppKey of the applications.
For non-production environments, it is possible to use self-signed certificates. For production, it is highly recommended to use certificates trusted by root authority.
The first certificate must meet the following requirements:
- The certificate must contain a private key.
- The certificate must be created for key exchange, which is exportable to a Personal Information Exchange (.pfx) file.
- For the The certificate’s subject name must match the domain that you use to access the Service Fabric cluster. This matching is required to provide an SSL for the cluster’s HTTPS management endpoints and Service Fabric Explorer.
Create self signed certificates:
- Open Powershell
- Run the next command:
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "<dnsname>.westeurope.cloudapp.azure.com" -NotAfter (Get-Date).AddMonths(60)This certificate is valid for 5 years (60 months). replace <dnsname> with your own dnsname, this must be the name you are going to use for the secure Service Fabric Cluster.
The result shows the thumbprint, which we need to export the certificate
- Run the command:
Export-PfxCertificate -cert cert:\localMachine\my\C7E29EDAA6E967D51EDFF257BEF9B5D6DD207DF9 -FilePath D:\temp\Blog\ASFExplorer.pfx -Password (ConvertTo-SecureString -String "TodayIsMondayNovember" -Force -AsPlainText).At FilePath enter your own path where you want to store the certificate. At Password enter of course your own password.
- The same we do for a certificate we use for encrypt the later use AppKey of the application we are installing on our Secure Service Fabric Cluster. The name of Dnsname doesn’t really matter, but pick a meaningful name. Run command:
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname "DataEncipherment"
- Run command:
Export-PfxCertificate -cert cert:\localMachine\my\3AE394FA9340D2CE09E240D2C17EB8883A12CBFC -FilePath D:\temp\Blog\ASFDataEncipherment.pfx -Password (ConvertTo-SecureString -String "TodayIsMondayNovember" -Force -AsPlainText)
At FilePath enter your own path where you want to store the certificate. At Password enter of course your own password.
- Goto to the location of DataEncipherment certificate, in mine case D:\temp\Blog\ASFDataEncipherment.pfx , double click on it. And select Current User, enter the password in mine case ‘TodayIsMondayNovember’ and accept the default settings. And do the same for the other certificate, otherwise you will not be able to see the Explorer site of the Service Fabric Cluster.
- Remember/Write down both thumbprints of the certificates, you need them later.
The certificates are in the certificate store on our computer and we do have copies which we can later upload to Azure KeyVault.