Certificate based Azure VPN Connection - How Does it work? - azure

I followed this link https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps#Certificates to create a VPN in Azure. So,
I created a root certificate and uploaded to management portal.
Used PS script to create the VPN
Created client certificate and installed the VPN Client package.
My VPN is working as expected. My question is now can I delete this certificate from management store now ? Is it must to upload the certificate to management store to create this VPN ? How does the authentication works in this case ?

My question is now can I delete this certificate from management store
now ?
By default, we can't delete this certificate.
Is it must to upload the certificate to management store to create
this VPN ?
Yes, we have to upload the certificate to it, it is a by design behavior.
We can publish our public certificate to Internet, we only should keep the private certificate.
How does the authentication works in this case ?
Here a blog about how does certificate-based authentication work, please refer to this link.

you cannot delete the root certificate that you uploaded to Azure. It is used to authenticate the certificates presented by the connecting clients.

Related

Can't deploy to secured Service Fabric cluster from VS

I've created a secured SF cluster from the portal, but I can't connect to the explorer from the browser or deploy my app from VS. I have the cluster certificate (the one it makes you create on a Key Vault when you first deploy the cluster) installed on my machine. I got the .pfx file from the Key Vault and installed it on my Windows machine both with double click/wizard and with Powershell Import-PfxCertificate cmdlet.
Still after that, VS says Failed to contact the server. Please try again later or get help from "How to configure secure connections"
I tried added an client "admin" certificate, but it only asks me for the Thumbprint or the subject name, where I put the ones from the previously created cluster certificate. I don't really know if I need to buy a client certificate to make it work, or where do I get it?
And as I said, I can't access to the explorer using the browser either. Any ideas?
Here some screenshots:
This error message might be:
- The certificate issuer authority is not trusted
- because the certificate you installed is not valid or does not target the domain you are trying to access.
if the certificate issuer is not trusted, you might have to:
Trust then, please see this link
Or, get a new certificate from a trusted and execute the steps below
If the certificate is invalid, or misconfigured:
The message is chrome telling you that the certificate is not valid, and you can proceed on your own risk. You should be okay if you click Proceed to xyz.dev.eastus.cloudapp.com.
To deploy applications from Visual Studio to the cluster, you have to install the PFX certificate in the machine, and add the thumbprint to the publish profile file. See more in this link
How to make it work:
Register the domain you want, here I will say as www.example.com
Register the CNAME record on your DNS provider pointing to your Service Fabric default domain likexyz.dev.eastus..cloudapp.com.
Get a PFX certificate from a trusted authority, or your own self-signed certificate if it is for internal use only.
Add the certificate to key vault
Configure the VMSS to use the certificates from key vault
Update your cluster configuration with your certificate thumbprint
This link and this link provides the documentation on how to setup the cluster certificates.
And the following link has a detailed explanation how setup applications:
https://ronaldwildenberg.com/custom-domain-name-and-certificate-for-your-azure-service-fabric-cluster/
If you just want to create secure cluster for Dev and Test purposes, you could just create from the portal and let azure generate the correct certificate for you. For production workloads, you should create your certificates, Please take a look at this link for more info.

Cannot add Admin Client key to Service Fabric cluster

I am trying to add an Admin Client authentication key to my Service Fabric cluster created using the portal.
I keep getting this error (Failed to submit updates to 'admin client certificate' for cluster)-
The background - I cannot access the Service Fabric explorer after creating a cluster. I am guessing that this is because I don't have an admin client authentication set up yet.
How can I fix this error?
From my experience with Azure Service Fabric Cluster you need to have the certificate added to add client certificate. But if you set it up right should connect to it without setting new creds.
Steps below.
While setting up the cluster if its for testing you can use a self-signed certificate from Key Vault, the process can create one for you.
At the summary page of the Cluster setup you will get a link to obtain certificate as you will need that to access Fabric Cluster.
Make sure you download and install certificate (pfx) to computer's store. No password is needed.
Once the Service Fabric cluster is fully deployed click on the 'Explorer' button or the link to open portal. Make sure you are on IE or Edge because Chrome or Firefox will not like the self-signed certificate
The browser should trigger an authentication, please select the certificate we installed previous. If that is not showing as default use the more option to find it. If it's not on the list it means that certificate was not install.
That should authenticate you and give you access to the Service Fabric Cluster.
Hope this information was helpful.
You need to make sure that the SF provision is not undergoing updates first.
Also you cannot access the SF management console with the cert that was used to secure the cluster. You will need to generate a self-signed (unless you already have a CA cert) cert and use the thumbprint from that cert to import into the "Admin Client" in SF security section
This is the cert you need to also import to your client machine Cert repository

Installing certificates to the trusted root certificate store on azure web apps

How can I install a certificate into an Azure Web App so that my azure webapp can communicate with a remote service via SSL (this particular certificate is not signed by a public CA)
I generated an ssl certificate with openssl and when I install it to the trusted root certificate authentication store on my local computer the runs fine. However when I upload the cert via the management portal I get errors that the certificate isn't trusted (which is correct) and the correct error for when a certificate is not installed.
How can I install a private SSL certificate into the trusted root certificate store on an azure web app?
Unfortunately, we cannot add a certificate to the trusted certificate authority on an Azure Web App. The security implications would be quite bad if that were possible. More detail info please refer to another SO thread.
But We can use Azure Cloud Service that allowed us to do that. More info please refer to the document.
If we want to install certificates to Personal certificate store , we could upload a .pfx file to the Azure App, and add an App setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. Then the certificates will be installed to the Personal certificate store . More detail please refer to Using Certificates in Azure Websites Applications.
How to obtained an SSL certificate please refer to the official document Secure your app's custom domain with HTTPS.
 
The easiest way to get an SSL certificate that meets all the requirements is to buy one in the Azure portal directly. This article shows you how to do it manually and then bind it to your custom domain in App Service.

How to create/file certificate for SharePoint App

We have a SharePoint Server in a farm with SQL Server and Active Directory Server. and we are trying to create a self-signed certificate for use in SP App. The farm is hosted on CloudShare and we are unsure if the certificate is provided? or if you have manually create one.
if we have to manually create one, can you provide steps on how to do so?
Thanks
You can create a self-sign certificate from IIS for your local development.
Please follow the below url it will help you to create the self-sign certificate
https://blogs.msdn.microsoft.com/shariq/2013/05/07/how-to-set-up-high-trust-apps-for-sharepoint-2013-troubleshooting-tips/

Thinktecture in windows azure web sites SSL issue

I have deployed the thinktecture identity server in the windows azure website role.The issue I am facing is with the SSL certificate.If I don't have a custom domain name I am forced to use *.azurewebsites which already have a certificate from microsoft and the app pool account is not able to read the private key of this certificate so it's throwing an error.
Did someone have the same issue or any ideas about what I can do to resolve it.
Thanks
The SSL and signing certificate don't need to be the same. Use the MS SSL cert (for now) and generate a separate cert for signatures. That cert can then be uploaded so that you can programmatically access it.

Resources