Rotate the SSL Certificates for Your PMC Environment

Prior to your certificates expiring, you need to rotate them. This section details how to achieve this with Azure PaaS deployments.

Import the Certificate Into your KeyVault

  1. Log in to Microsoft Azure.
  2. Navigate to All Resources and order the list by Type.
  3. Locate the KeyVault associated with your PMC environment and click it.

If you don't see the certificate, you may need to modify the permissions of the user. Click Access Policies and add your user by clicking Certificate Management Operations > Get, List, and Import.

Select sslCertificate in the Certificates list.

  1. Select the sslcertificate in the list and click New Version.

 

Click New Version. Select Import from Method of Certificate Creation, select the new SSL certificate pfx file in the Upload certificate file dialog, enter the cert password, and click Create.

  1. Select Import from Method of Certificate Creation.
  2. Select your new SSL certificate pfx file in the Upload certificate file dialog box.
  3. Enter the SSL certificate password and click Create.

 

  1. Once the certificate has been created, click it in the list of certificates.

Make a secure note of the X.509 SHA-1 Thumbprint, Key Identifier and Secret Identifier.

  1. From the properties, make a secure note of the X.509 SHA-1 Thumbprint, Key Identifier, and Secret Identifier.

 

Update the Scale Set ARM Template

In order for the new certificate to be pushed to the virtual machines in the scale set:

  1. Log in to Microsoft Azure.
  2. Navigate to https://resources.azure.com/ and select the subscription where your PMC instance is deployed.
  3. Click Read/Write to the right of that dropdown.

Select the sale-set from the tree and click Edit.

  1. On the left, select subscriptions > resourceGroups > your resource group > providers > Microsoft.Compute > VirtualMachineScaleSets and select the scaleset.

 

  1. Click Edit.

Locate the virtualMachineProfile.Secrets.vaultCertificates array and replace the $secretidentifier$ with the secret identifier obtained from the KeyVault.

  1. Navigate to the virtualMachineProfile.Secrets.vaultCertificates array.

 

  1. Add the following text to the end. Do not overwrite the existing SSL Certificate URL; add this as a final new entry in the array, replacing the $secretidentifier$ with the secret identifier obtained from the KeyVault.
{
   "certificateUrl": "$secretidentifier$",
   "certificateStore": "My"
}
  1. Click Put. You will see a green tick when the action has completed.

Confirm the update is complete by clicking instanceView.

You can confirm that this update has completed by clicking instanceView from the scale set menu on the left. Once it has completed, the time and date stamp will be updated.

Update the Portal/Jumpbox VMs ARM Template

  1. Navigate to https://resources.azure.com/ and select the subscription where your PMC instance is deployed.
  2. Click Read/Write to the right of that dropdown.

Select the PortalVM or the JumpBoxVM and click Edit.

  1. On the left, select subscriptions > resourceGroups > your resource group > providers > Microsoft.Compute > VirtualMachines and select either the PortalVM or the JumpBoxVM. You need to repeat these steps for both virtual machines.

 

  1. Click Edit.
  2. Navigate to the osProfile.secrets.vaultCertificates array as before.
  3. Add the following text to the end. Do not overwrite the existing SSL Certificate URL; add this as a final new entry in the array, replacing the $secretidentifier$ with the secret identifier obtained from the KeyVault.
{
   "certificateUrl": "$secretidentifier$",
   "certificateStore": "My"
}
  1. Click Put. You will see a green tick when the action has completed.

Click instanceView from the scale-set menu to display the time and date stamp.

You can confirm that this update has completed by clicking Instance View from the scale set menu on the left. Once it has completed, the time and date stamp will be updated.

Ensure you have completed the steps above for both the PortalVM and the JumpBoxVM.

Configure Internet Information Services (IIS)

  1. Open a remote desktop session to the PortalVM either from the jump box or by downloding the RDP file from Azure.
  2. Open Internet Information Services (IIS).
  3. Select IC3Portal from Sites.
  4. Click Bindings on the right.
  5. Edit the single binding for port 9443. In the certificate, click Select.

Select the new SSL certificate and click OK.

  1. Select the new SSL certificate and click OK.

You can typically identify the new SSL certificate by examining the expiration dates and choosing the one that is most distant.

 

Make the PMC Application Configuration Changes

  1. Open a remote desktop session to the jump box (ensure you have the Cluster Administration *.pfx certificate portion installed on the machine before continuing).
  2. The setting for the SSL Thumpbrint has to be updated using this script first, instead of inputting it as a script parameter. You can also use this method to allow multiple configuration settings to be updated.
    .\UpdateServiceFabricAppSetting.ps1 -UpdateConfigParameters @{"Avecto.IC3.Certificates.SSL.Thumbprint" = "newthumbprint"}
  1. Run the UpdateServiceFabricAppSetting.ps1 script (in the upgrades folder) with the following parameters:
    • ClusterAddress: The DNS Name of your cluster postfixed with :19000. For example, PMCcert.PMC:19000.
    • ServerCertThumbprint: The thumbprint of the ClusterAdminCertificate.
    • ClusterAdminThumbprint: The thumbprint of the ClusterAdminCertificate (same as ServerCertThumbprint).
  2. Once the upgrade is complete, you can check access from the portal. You can monitor the upgrade to the application using Service Fabric Explorer.