Location>code7788 >text

Azure Cloud Service] Update the certificate configured in Cloud Service (Extended Support) using RESTAPI.

Popularity:939 ℃/2024-10-12 20:25:39

Description of the problem

When using Cloud Service (Extended Support) according to the documentationRenewal of certificates ( /zh-cn/cloud-services-extended-support/certificates-and-key-vault ), if you meet the old certificate (such as intermediate certificate, root certificate) information saved in the Key Vault Secret, and when updating, you can only match the server certificate (leaf certificate) from the Key Vault certificate. And the intermediate certificate, root certificate will show the following error:

An error message appears as:

One or more certificates defined in .cscfg are not found in the selected key vault. Ensure that all certificates have been uploaded to the selected key vault and click Refresh below to revalidate. If the cloud service is adding certificates based on key vault secrets, the secret-based certificates must be added through a method other than the portal.
Go to the selected key vault
Learn more about using secret based certificates outside of the portal

And in the documentation for the prompt, you can find this quote

"However, if certificates are planned to be used as secrets, there is no way to validate the fingerprints of those certificates, and any update operation through the portal that involves adding a secret will fail."

Customers are advised to use PowerShell or RestAPI to continue with updates that involve confidentiality.

This article explains how to use the REST API to renew certificates!

 

procedure

Step 1: Upload the certificate to Azure Key Vault

According to the Certificate Documentation step (/zh-cn/cloud-services-extended-support/certificates-and-key-vault#upload-a-certificate-to-key-vault), upload the PFX certificate into Key Vault, and then copy out the certificate's fingerprint information and confidential identifier:

 

  • Trumbprint, certificate fingerprint, unique, used to determine whether the certificate is the same or not
  • Secret Identifier, the address where the certificate is saved in the Key Vault in base64 encrypted JSON format. If the certificate file is used for Cloud Service Extended Support, it must be in the following JSON format:

{

"data": "Your base64 certificate",

"dataType": "PFX",

"password": "optional, enter password if available"

}

 

E.g..

Step 2: Get the information of Cloud Service, call the interface as GET API

Refer to the documentation:/en-us/rest/api/compute/cloud-services/get?view=rest-compute-2024-07-01&tabs=HTTP

 

Note that in China you need to change Host Endpoint to:

GET https:// /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers//cloudServices/{cloudServiceName}?api-version=2022-04-04

You need to carry the Authorization Token, otherwise you will get the following error:

{
  "error": {
    "code": "AuthenticationFailed",
    "message": "Authentication failed. The 'Authorization' header is missing."
  }
}

The way to get the Token can be done by accessing the Cloud Service (Extended Support) portal through a browser and then viewing the web request through the developer tools (F12) to get the Authorization content from the request header of the access to the Cloud Service. Or get the token through az cli

az cloud set --name AzureChinaCloud

az login

az account get-access-token --scope "/.default" --query accessToken

 

Adjust the JSON content when the Cloud Service information has been successfully obtained:Delete everything in Properties except configuration and osProfile.

The JSON format after finishing is as follows:

{
  "name": "cloud service extended support name",
  "id": "cloud service (extended) support resource id",
  "type": "/cloudServices",
  "location": "chinanorth3",
  "properties": {
    "configuration": "{ServiceConfiguration}",
    "osProfile": {
      "secrets": [
        {
          "sourceVault": {
            "id": "key vault resource id"
          },
          "vaultCertificates": [
            {
              "certificateUrl": "key vault Secret Identifier"
            },
            {
              "certificateUrl": "key vault Secret Identifier"
            },
            {
              "certificateUrl": "key vault Secret Identifier"
            }
          ]
        }
      ]
    }
  }
}

There are two changes that need to be made:

1) Certification fingerprint in the content of the configuration, using the fingerprint value in the first step to replace the content of the file to be modified

2) In the certificateUrl value, replace the old certificateUrl with the confidential identification URL from step 1

Once you have prepared the above, you can proceed to the third step by sending a PUT request to update the new certificate to the Cloud Service (Extended Support).

 

Step 3: Update the information of Cloud Service, call the interface as PUT API

Refer to the documentation:/en-us/rest/api/compute/cloud-services/create-or-update?view=rest-compute-2024-07-01&tabs=HTTP 

Use the same URL as in step 2, change the request type to PUT, and put the JSON modified in step 2 into Request Body. click Send to see the status of the request.

 

In the meantime, you can go back to the Cloud Service (Extended Support) Azure portal page to see if the certificate was successfully modified.

 

Meanwhile, a deeper validation is done by going to the nodes of the cloud service via RDP and looking at the certificate information!

RDP --> importation“cert” --> option“Manage Computer Certificates” --> ferret out Pernonal Certificates

 

 

【END】