Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Install a certificate in a Service Fabric Cluster without a private key

Tags:

azure-service-fabric

azure-resource-manager

azure-keyvault

I need to install a certificate in a Service Fabric cluster that I created using an ARM template. I was able to install a certificate with the private key using the following helper powershell command:

> Invoke-AddCertToKeyVault

https://github.com/ChackDan/Service-Fabric/tree/master/Scripts/ServiceFabricRPHelpers

Once this certificate is in Azure Key Vault I can modify my ARM template to install the certificate automatically on the nodes in the cluster:

"osProfile": {
    "secrets": [
        {
            "sourceVault": {
                "id": "[parameters('vaultId')]"
            },
            "vaultCertificates": [
                {
                    "certificateStore": "My",
                    "certificateUrl": "https://mykeyvault.vault.azure.net:443/secrets/fabrikam/9d1adf93371732434"
                }
            ]          
        }
    ]
}

The problem is that the Invoke-AddCertToKeyVault is expecting me to provide a pfx file assuming I have the private key.

The script is creating the following JSON blob:

$jsonBlob = @{
    data = $base64
    dataType = 'pfx'
    password = $Password
} | ConvertTo-Json

I modified the script to remove password and change dataType to 'cer' but when I deployed the template in Azure it said the dataType was no longer valid.

How can I deploy a certificate to a service fabric cluster that does not include the private key?

like image 600
Dismissile Avatar asked Oct 19 '22 07:10

Dismissile

1 Answers

1) SF does not really care if you used .cer or .pfx. All SF needs is for the certificate to be available in the local cert store in the VM.

2) The issue you are running into is that CRP agent, which installs the cert from the keyvault to the local cert store in the VM, supports only .pfx today.

So now you have two options

1) create a pfx file without a private key and use it

Here is how to do via C# (or powershell) Load the certificate into a X509Certificate2 object Then use the export method for X509ContentType = Pfx https://msdn.microsoft.com/en-us/library/24ww6yzk(v=vs.110).aspx

2) Deploy the .cer using a custom VM extension. Since .cer is only a public key cert there should be no privacy requirements. You can just upload the cert to a blob, and have a custom script extension download it and install it on the machine.

like image 102
chacko-AMZN Avatar answered Nov 01 '22 19:11

chacko-AMZN
Sign in to Comment

Related questions

Orchestrating local development or testing environments with Azure Service Fabric
How to pass data to `OnActivateAsync()` to initialize my stateful actor?
SOAP with service fabric - Https and Http binding

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!