locked
Self-signed certificates for service fabric RRS feed

  • Question

  • According to Azure Service Fabric security best practices I should use a self-signed certificate for test clusters, but not for production clusters.

    Service fabric clusters are created in [cluster].[region].cloudapp.azure.com subdomain. And I suppose there is no way to get TLS certficate for that domain signed by proper CA (because cloudapp.azure.com belongs to microsoft). Azure can generate for me only self-signed certificate for that domain but it's against best practices. As I understand there is only one way to follow best practices: to have custom domain for service fabric cluster (like sfcluster.mydomain.com) and to buy certificate for it. Is it correct?

    Situation with client certificates is unclear for me also. Is it wrong to use self-signed client certificates too?
    Monday, August 5, 2019 12:00 PM

Answers

  • You are correct. Since Azure is not something you can get a official cert for as it is own by Microsoft you need to setup a custom domain name for your cluster and map it to the one provided to you when creating your cluster. 

    There is nothing wrong with using Self Signed certs however it is not recommended for production clusters. For dev clusters there is no reason to pay for a certified cert. 

    Monday, August 5, 2019 4:22 PM

All replies

  • You are correct. Since Azure is not something you can get a official cert for as it is own by Microsoft you need to setup a custom domain name for your cluster and map it to the one provided to you when creating your cluster. 

    There is nothing wrong with using Self Signed certs however it is not recommended for production clusters. For dev clusters there is no reason to pay for a certified cert. 

    Monday, August 5, 2019 4:22 PM
  • In Set up Azure Active Directory for client authentication I see it's also possible to use Azure AD instead of client certificates. But why I need to create new users in SetupUser script? Can I give access to existing users?


    Monday, August 5, 2019 8:37 PM
  • Yes you can use AAD and use the users already in your tenant. However it all needs to be configured prior to creating your cluster. So if you want to switch to this route you would be required to recreate your cluster. 
    Monday, August 5, 2019 9:28 PM