How Do You Handle Multiple Server Certificate Thumbprints in Azure Service Fabric Managed Clusters?

Hi everyone,

I wanted to share a common challenge we’ve encountered in DevOps pipelines when working with Azure Service Fabric Managed Clusters (SFMC) — and open it up for discussion to hear how others are handling it.

🔍 The Issue

When retrieving the cluster certificate thumbprints using PowerShell:

(Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints

…it often returns multiple thumbprints. This typically happens due to certificate renewals or rollovers. Including all of them in your DevOps configuration isn’t practical.

✅ What Worked for Us

We’ve had success using the last thumbprint in the list, assuming it’s the most recently active certificate:

(Get-AzResource -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.ServiceFabric/managedclusters/<CLUSTER_NAME>").Properties.clusterCertificateThumbprints | Select-Object -Last 1

This approach has helped us maintain stable and secure connections in our pipelines.

🔍 Solution 2: Get current Server Certificate 

You can also verify the active certificate using OpenSSL:

openssl s_client -connect <MyCluster>.<REGION>.cloudapp.azure.com:19080 -servername <MyCluster>.<REGION>.cloudapp.azure.com | openssl x509 -noout -fingerprint -sha1

🛠️ Tip for New Deployments

If you're deploying a new SFMC, consider setting the following property in your ARM or Bicep template:

"autoGeneratedDomainNameLabelScope": "ResourceGroupReuse"

This ensures the domain name is reused within the resource group, which helps reduce certificate churn and keeps the thumbprint list clean and manageable.

⚠️ Note: This setting only applies during initial deployment and cannot be retroactively applied to existing clusters.