Install a certificate in a Service Fabric Cluster without a private key

5
votes

I need to install a certificate in a Service Fabric cluster that I created using an ARM template. I was able to install a certificate with the private key using the following helper powershell command:

> Invoke-AddCertToKeyVault

https://github.com/ChackDan/Service-Fabric/tree/master/Scripts/ServiceFabricRPHelpers

Once this certificate is in Azure Key Vault I can modify my ARM template to install the certificate automatically on the nodes in the cluster:

"osProfile": {
    "secrets": [
        {
            "sourceVault": {
                "id": "[parameters('vaultId')]"
            },
            "vaultCertificates": [
                {
                    "certificateStore": "My",
                    "certificateUrl": "https://mykeyvault.vault.azure.net:443/secrets/fabrikam/9d1adf93371732434"
                }
            ]          
        }
    ]
}

The problem is that the Invoke-AddCertToKeyVault is expecting me to provide a pfx file assuming I have the private key.

The script is creating the following JSON blob:

$jsonBlob = @{
    data = $base64
    dataType = 'pfx'
    password = $Password
} | ConvertTo-Json

I modified the script to remove password and change dataType to 'cer' but when I deployed the template in Azure it said the dataType was no longer valid.

How can I deploy a certificate to a service fabric cluster that does not include the private key?

1
azure-service-fabricazure-resource-managerazure-keyvault

1 Answers

3
votes

1) SF does not really care if you used .cer or .pfx. All SF needs is for the certificate to be available in the local cert store in the VM.

2) The issue you are running into is that CRP agent, which installs the cert from the keyvault to the local cert store in the VM, supports only .pfx today.

So now you have two options

1) create a pfx file without a private key and use it

Here is how to do via C# (or powershell) Load the certificate into a X509Certificate2 object Then use the export method for X509ContentType = Pfx https://msdn.microsoft.com/en-us/library/24ww6yzk(v=vs.110).aspx

2) Deploy the .cer using a custom VM extension. Since .cer is only a public key cert there should be no privacy requirements. You can just upload the cert to a blob, and have a custom script extension download it and install it on the machine.