Service Fabric - Certificate Auto Rollover & Binding the certificate without certificate version

Published Feb 08 2021 05:06 AM 767 Views
Microsoft

Ask 1: What is the recommended way for auto rotation of certificates in Service Fabric ?

 

Response:  

The recommended approach for certificate auto rollover in SF is by switching to Common Name(CN) from thumbprint based approach and using the KV extension to monitor, deploy the certs. Refer Azure Key Vault VM Extension for Windows - Azure Virtual Machines | Microsoft Docs. KV extension does the heavy lifting of monitoring and deploying the cert when new version is available.

​In addition, using CN instead of Thumbprint means we do not need to perform a cert rollover upgrade at all.

 

Ask 2: There comes another case where sometimes we want to avoid hard coding certificate secret URL with version in ARM template which is needed when we are deploying SFC first time, after that it’s not needed. However there are some specific scenarios where we need to deploy SFC again and that time the secret URL hard coded in ARM template creates problem and we need to update the ARM template with latest version and deploy. So the ask here is if there any way/feature to support certificate secret URL without version in ARM template, where we don’t need to specify the secret URL with version. For example: can we just use the certificate secret URL  like this: 'https://myvault.vault.azure.net/secrets/mycertificate' i.e.  no dependency on certificate version.

 

Response: The answer to above question is unfortunately no, since this is a specific requirement of the VMSS itself . The certificate secret URL is parameterized, so in our deployment pipeline we should possibly query the keyvault and get the latest version and use that value.

Another possibility can be changing the syntax in the ARM template, we have  a similar ask mentioned here: (https://stackoverflow.com/questions/54402366/get-the-latest-version-of-a-certificate-from-an-azure-k...)

 

We recommend  to test this and see if it will work to resolve the issue. Define variable with secret's resource id like this, for example:

 

"mySecretResourceId": "[concat(resourceGroup().id,'/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'), '/secrets/', 'my-secret-name')]"

then you can use it in your template as following:

"certificateUrl": "[reference(variables('mySecretResourceId'), '2018-02-14').secretUriWithVersion]"

 

Co-Authors
Version history
Last update:
‎Feb 08 2021 05:06 AM
Updated by: