Trending on MSDN: Self-Signed Certificates for Azure Service Fabric

Micah McKittrick 946 Reputation points Microsoft Employee
2019-10-29T19:43:24.39+00:00

According to Azure Service Fabric security best practices I should use a self-signed certificate for test clusters, but not for production clusters.

Service fabric clusters are created in cluster.region.cloudapp.azure.com subdomain. I am assuming there is no way to get TLS certificate for that domain signed by proper CA (because cloudapp.azure.com belongs to Microsoft).

Azure can generate only self-signed certificate for that domain but it's against best practices. As I understand there is only one way to follow best practices to have custom domain for service fabric cluster (like sfcluster.mydomain.com) and to buy certificate for it.

Is it correct?

The situation with client certificates is unclear for me as well. Is it wrong to use self-signed client certificates too?

Sourced from MSDN

Azure Service Fabric
Azure Service Fabric
An Azure service that is used to develop microservices and orchestrate containers on Windows and Linux.
201 questions
No comments
{count} votes

Accepted answer
  1. olufemia-MSFT 2,781 Reputation points
    2019-10-29T23:26:09.507+00:00

    Welcome to the Microsoft Q&A (Preview) platform. Happy to answer your questions.

    You are correct. Since the Azure domain is not something you can get an official cert for as it is owned by Microsoft you need to setup a custom domain name for your cluster and map it to the one provided to you when creating your cluster. 

     As per your second question, there is nothing wrong with using Self Signed certs however it is not recommended for production clusters. For dev clusters there is no reason to pay for a certified cert. 

    Sourced from MSDN

    No comments

2 additional answers

Sort by: Most helpful
  1. AHMED ISMAIL GOMAA BAKIR 906 Reputation points
    2022-05-05T22:02:02.12+00:00

    You are correct. Since the Azure domain is not something you can get an official cert for as it is owned by Microsoft you need to setup a custom domain name for your cluster and map it to the one provided to you when creating your cluster. 

    No comments

  2. Hanan Ali Ibrahem Roffa 81 Reputation points
    2022-05-06T03:15:46.06+00:00

    Since the Azure domain is not something you can get an official cert for as it is owned by Microsoft you need to setup a custom domain name for your cluster and map it to the one provided to you when creating your cluster. 

    No comments