How many certificates are necessary for a secure Service Fabric cluster

Question

I'm trying to wrap my brain around how many certificates I'm going to need for service fabric. I've read quite a bit from the product team and that's been really helpful, now I'm trying to distill that down to what I actually need given the following goals:

1. Create a secure cluster with AAD authentication (I'm good with the AAD part)
2. Enable communication over HTTPS/SSL for self-hosted web api that will reside on the cluster
3. Access service fabric explorer over HTTPS without certificate errors

In order to create a secure cluster I'll need a valid certificate which will require a custom domain name.

Create a Service Fabric cluster in Azure using Azure Resource Manager

• The certificate must contain a private key.
• The certificate must be created for key exchange, exportable to a Personal Information Exchange (.pfx) file.
• The certificate's subject name must match the domain used to access the Service Fabric cluster. This matchng is required to provide SSL for the cluster's HTTPS management endpoints and Service Fabric Explorer. You cannot obtain an SSL certificate from a certificate authority (CA) for the .cloudapp.azure.com domain. You must acquire a custom domain name for your cluster. When you request a certificate from a CA, the certificate's subject name must match the custom domain name used for your cluster.

Based on that, would it be correct to assume that I only need one cert and a custom domain to achieve the goals outlined above?

I'd like to follow any best practices on this, so if I'm in error, please provide feedback.

Answer 1

AAD takes care of your client-to-node security, so the only certificate you'll need would be a Server certificate for node-to-node security. This is what they seem to recommend here as well, so you should be on the right track.