在Azure中创建的VM上的TenantEncryptionCert [英] TenantEncryptionCert on VM created in Azure

问题描述

我创建了预装有SQL Server的Azure VM，并配置了IIS以在其上运行我的.NET应用程序。在为我的应用配置SSL时，我注意到服务器上已经存在许多证书，并且其中很多是由Windows Azure CRP证书生成器颁发的 TenantEncryptionCert 。有谁知道这些证书的用途是什么？这些是某些Azure特定证书，没有这些证书，我将无法连接到我的VM或什么？我可以将它们用于SSL吗？

I created Azure VM with SQL Server pre-installed and configured IIS to run my .NET application on it. When configuring SSL for my app I noticed that there are many certificates present on server already and quite a few of them being TenantEncryptionCert issued by and for Windows Azure CRP Certificate Generator. Does anyone have any idea what are these certificates for? Are these some Azure specific certs without which I will lose connectivity to my VM or what? Can I use them for SSL?

< img src = https://i.stack.imgur.com/q3a7c.jpg alt = Azure VM证书>

推荐答案

TenantEncryptionCert 证书由Azure Guest Agent（GA）&扩展名。

TenantEncryptionCert certificates are used by the Azure Guest Agent (GA) & extensions.

当扩展程序使用密码等受保护的设置时，您通常会看到它，并且我们需要使用WireServer（主机节点）安全地传输有效负载。
因此，它们被加密并需要证书。

You’ll usually see it when extensions are using Protected Settings like passwords, and we need to securely transfer the payloads with the WireServer (the host node). So they are encrypted and a certificate is needed.

该证书由GA自动创建和管理。

The certificate is automatically created and managed by the GA. You shouldn’t really care about it.

GA在启动/更新时检查是否存在证书。如果您将其删除，或者由于其他原因不存在，则会创建一个新的。

GA checks for the presence of certificate on startup / update. If you delete it, or if it’s not there for other reasons, then it’ll create a new one.

请注意，GA不会清除过期的证书…因此，您最终可能会在certmgr控制台中获得很多证书。因此，您可以安全地删除过期的。

Note that the GA doesn’t clean the expired certificates… so you might end up with a lot of certs in the certmgr console. For this reason you can safely delete the expired ones.

HTH

这篇关于在Azure中创建的VM上的TenantEncryptionCert的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！