Share via

Azure Stack Hub - external certificate rotation - new certificates (only server auth key usage)

Bak, Andras 0 Reputation points
2026-03-11T09:26:19.4533333+00:00

Hi, Good day, pls. help me.

We have to rotate the ASH certificates by March. After generating the CSR files, we received the issued certificates. However, all public CAs now issue certificates with server auth instead of the previous TLS server and client auth EKU.

 Running the validation on Azure Stack Hub returns the following output (printscreen attached).

Unfortunately, we will not be able to request another certificate, so we trust that it will work. We would like to ask for confirmation whether this is okay?

Thank you very much for your help in advance!

Azure Stack Hub
Azure Stack Hub

An extension of Azure for running apps in an on-premises environment and delivering Azure services in a datacenter.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manish Deshpande 5,420 Reputation points Microsoft External Staff Moderator
    2026-03-30T09:32:07.1366667+00:00

    Hello Bak,

    Yep, certificates with just Server Authentication (serverAuth) EKU are good to go for Azure Stack Hub external certificate rotation.

    • All Azure Stack Hub needs is the Server Authentication EKU (OID 1.3.6.1.5.5.7.3.1) in the Enhanced Key Usage field for external endpoint certs—no need for Client Authentication (clientAuth) EKU.
    • Public CAs have stopped adding Client Authentication by default to new TLS server certs (thanks to Chrome Root Program and CA/Browser Forum policies), but this doesn’t mess with Azure Stack Hub external certs.
    • If your new certs pass the Azure Stack Hub Readiness Checker or validation (including the right Key Usage: Digital Signature + Key Encipherment), you’re all set for rotation.
    • The validation output you saw is normal, so your certs meet all the requirements.

    https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-pki-certs?view=azs-2601

    This article clearly states the mandatory EKU: “The certificate pfx files must have the values Server Authentication (1.3.6.1.5.5.7.3.1) in the Enhanced Key Usage field.”

    You can confidently use the newly issued certificates for external secret rotation. Here are the focused steps to complete the process safely:

    1. Confirm validation success Ensure the full Readiness Checker output (or Test-AzureStack) shows Pass for all external certificates. If any other issues appear, address them first.
    2. Prepare the certificates Package the new .pfx files with the correct folder structure as described in the documentation.
    3. Perform external certificate rotation Use the Privileged Endpoint (PEP) and the Start-SecretRotation cmdlet to rotate only the external certificates.
    4. Post-rotation verification After rotation, run validation again to confirm the new certificates are active and all endpoints are healthy.

    Note : proceeding with the rotation using your current certificates — they fully comply with Azure Stack Hub requirements. This industry shift to Server Auth only actually aligns better with standard TLS server certificate best practices for external endpoints

    Thanks,
    Manish.

    0 comments
  2. Q&A Assist
    2026-03-11T09:26:33.95+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    External certificate rotation on Azure Stack Hub must follow the Azure Stack Hub PKI certificate requirements and must pass the Readiness Checker/validation step before being used for deployment or rotation.

    The provided context explicitly states that before rotating external secrets you must:

    1. Generate CSRs using the documented process.
    2. Prepare the returned certificates using the Prepare PKI certificates guidance.
    3. Validate them using Validate PKI Certificates.

    If the validation tool reports an error or non‑compliance (for example, because the EKU does not match what Azure Stack Hub expects), those certificates are not considered supported for rotation. The documentation does not provide an exception or override mechanism for EKU or other certificate requirement violations, and it does not state that certificates failing validation will still work.

    Because of this, only certificates that meet the documented PKI requirements and pass the validation step are supported for Azure Stack Hub external secret rotation. Certificates that differ from the required EKU profile and cause validation failures are not supported for use.

    If requesting a different certificate from the CA is not possible, the supported path is to work with the CA to obtain certificates that meet the Azure Stack Hub PKI certificate requirements, or to open a support case with Microsoft to review the specific validation output and options.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.