Tags:
Azure
Securing your Service Fabric is highly recommended, and to use SSL you need to, as it will use the SSL certificate that the Service Fabric is secured by. See here for more information
I am a member of Microsoft Bizspark — which is an awesome program for startups. They give you free access to a lot of their great tools, and even free credit on Microsoft Azure. Through Bizspark I “brought” an SSL license to use for my Service Fabric(technically I didn’t buy it as I just used my Azure credits).
This SSL certificate is very easy to setup and use with the App Service, but it looks nigh on impossible to use with anything else — and it looked like it had been designed that way. Googling didn’t come up with any suitable results either, however what I did notice though was that it added the certificate to the Azure Key Vault, and with the right permissions this was accessible.
The method I found useful for this was Get-AzureKeyVaultSecret. By calling this method via power-shell with the right credentials I could download the certificate and write it to my local drive
$secretRetrieved = Get-AzureKeyVaultSecret -VaultName ‘vault’ -Name ‘name’
$pfxBytes = [System.Convert]::FromBase64String($secretRetrieved.SecretValueText)
[io.file]::WriteAllBytes(“c:\certificate.pfx”, $pfxBytes)
This exported the certificate to my local computer that I could then use for development and with the Service Fabric. One thing to note with this certificate is that there is no password, that also threw me for a bit.
To use the certificate locally for local Service Fabric use these power-shell commands, they will add it to the places required for local Service Fabric to use, and also for your account to use when publishing and accessing the Azure Service Fabric:
Import-PfxCertificate -Exportable -CertStoreLocation Cert:\LocalMachine\My -FilePath c:\certificate.pfx
Import-PfxCertificate -Exportable -CertStoreLocation Cert:\CurrentUser\My -FilePath c:\certificate.pfx
Import-PfxCertificate -Exportable -CertStoreLocation Cert:\CurrentUser\TrustedPeople -FilePath c:\certificate.pfx
Once created I needed to give permission to the “Network Service” for the Local Machine certificate as that was the account local Service Fabric used.Go to “Manage Computer Certificates” -> right-click the certificate -> All Tasks -> Manage Private Keys.
Within the Service Fabric project you want to change the Cluster Connection Parameters to use this certificate, so that you can publish:
<ClusterConnectionParameters ConnectionEndpoint=”app.domain.com:19000"
X509Credential=”true”
FindType=”FindByThumbprint”
FindValue=”[certificate thumbprint]”
StoreLocation=”LocalMachine”
StoreName=”My” />
You can also add the certificate to the endpoints to secure them too:
<Endpoints>
<Endpoint Protocol=”http” Name=”ServiceEndpointHttp” Type=”Input” Port=”xx” />
<Endpoint Protocol=”https” Name=”ServiceEndpointHttps” Type=”Input” Port=”xx” CertificateRef=”[certificate thumbprint]” />
</Endpoints>
To use the certificate in Azure you can’t access the one that is already with the Azure Key Vault as the certificate needs to be wrapped within JSON, to do this I used power-shell to load the certificate downloaded above and insert it to Azure Key Vault.
$bytes = [System.IO.File]::ReadAllBytes(“c:\certificate.pfx”)
$base64 = [System.Convert]::ToBase64String($bytes)
$jsonBlob = @{
data = $base64
dataType = ‘pfx’
password = ‘’
} | ConvertTo-Json
$contentbytes = [System.Text.Encoding]::UTF8.GetBytes($jsonBlob)
$content = [System.Convert]::ToBase64String($contentbytes)
$secretValue = ConvertTo-SecureString -String $content -AsPlainText -Force
Write-Host “Writing secret to $CertificateName in vault $VaultName”
$secret = Set-AzureKeyVaultSecret -VaultName $VaultName -Name $CertificateName -SecretValue $secretValue
Once added this could then be referenced when creating the Service Fabric. See here for more information on securing key vault.