DNS Name of SSL Certificate Prerequisites
You must know or decide on the DNS Name of your SSL certificate before you proceed. The DNS Name is part of your SSL certificate. For example: pmc.ssldns.name.
Service Fabric does not accept SSL certificates which have been provisioned with Cryptography API: Next Generation (CNG) based providers. Your SSL certificate must be provisioned with a CryptoAPI Cryptography Service provider.
If you are using a Subject Alternative Name (SAN) on the SSL certificate, the SAN must include the core domain name.
The type of SSL certificate you can use should be driven by the type of environment you're deploying PMC to. This section covers:
- Production Environments
- Evaluation Environments
If the portal Virtual Machine (VM) does not trust the Certificate Authority (CA) you provide, you must install the SSL certificate onto your portal VM after deployment. You would need to install the SSL certificate onto the portal VM if the Certificate Authority was not issued by a trusted root authority, for example.
When you deploy PMC to a production environment:
- You must supply your own SSL certificate. The SSL certificate can be self-signed or signed by a globally trusted authority. If it is self-signed, there are some additional steps to do after deployment which are detailed in this guide.
- You may use multiple subdomains; we recommend that you use a Subject Alternative Name (SAN) list.
- Wildcard characters in the DNS Name of the SSL certificate are not supported.
- You need to know the DNS Name of your SSL certificate.
- You need to know the password for your SSL certificate.
- You need to know the thumbprint for your SSL certificate. You can obtain this using the Get-PfxCertificate .\sslCertificate.pfx command in PowerShell, where you specify the path to your SSL certificate. You will be prompted to enter the password for the certificate.
Please ensure you know the DNS of your SSL certificate before you proceed. It is required multiple times throughout the deployment of PMC.
- You need to decide on the DNS Name of the SSL certificate before you start the deployment as you will be prompted to enter it to allow a certificate to be generated.
- Wildcard characters are supported, but multiple subdomains are not.
- The generated SSL certificate is self-signed by the PMC root certificate authority.
Please make a note of the DNS Name you decide on before you proceed. It is required multiple times throughout the deployment of PMC.