Azure certs have to follow requirements published here
openssl genrsa -out key/domain.tld.key 4096
- Prepare CNF file as follows:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = SK
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Slovakia
localityName = Locality Name (eg, city)
localityName_default = Bratislava
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
commonName = Common Name (eg, YOUR name)
commonName_default = *.domain.tld
commonName_max = 64
emailAddress = Email Address
emailAddress_default = your@email.tld
emailAddress_max = 40
[v3_req]
keyUsage = keyEncipherment, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.domain.tld
- Generate CSR
openssl req -new -key key/domain.tld.key -out csr/domain.tld.csr -config cnf/domain.tld.cnf
After you get your cert from CA (eg. DigiCert & RapidSSL+RapidSSL Wildcards works fine) save CA, Intermediate and certificate pem files into separate files. You will reuse CA & Intermediate crt for all certs.
The Microsoft required certificate chain order is as follows: Start with CA, then continue with intermediate certs and after that insert you cert as a last part.
Eg. for Digicert & RapidSSL use:
cat crt/intermediate/TrustedRoot.pem crt/intermediate/DigiCertCA.pem crt/certonly/domain.tld.pem > crt/fullchain/domain.tld.pem
openssl pkcs12 -export -in crt/fullchain/domain.tld.pem -inkey key/domain.tld.key -out pkcs12/domain.tld.pfx -descert -LMK
Enter PKCS12 passphrase twice and you are good to go.
Validate Azure Stack Hub PKI certificates If needed, fix PowerShell warning Unable to resolve package source
Enjoy!