Traditionally, the ssl (this is the certificate that is used to secure your service fabric) is referenced in Microsoft Azure by its certificate thumbprint, this being the unique identifier of the certificate in the form of a hash value computed over the complete certificate.
The problem with this is that whenever the ssl certificate has to be updated in the service fabric cluster (most likely because the certificate is going to or has expired), the new certificate will have a different thumbprint then the one referenced in the service fabric cluster. This means that either a complicated and difficult change on service fabric’s configuration or even a complete rebuild of the entire cluster to change! Switching to the cluster using the common name means that you can just make a new signed certificate with the same common name and service fabric will pick up the certificate automatically with no major work on the developer’s end.
To change from thumbprint to common name, first you have to get a valid certificate from a Certificate authority (self-signed certificates are NOT support by Microsoft Azure.) This certificate then needs to deployed onto both the key vault and the virtual machine scale set. The best way to add it to the key vault would be to create and run a power shell script that will add the certificate to the key vault
[This is an exam of adding to an existing key vault. If it does not exist you would have to create the key vault first.]
Once this is done, you will have to install the same certificate onto the machine scale sets. You could either add a step in the arm template to install it to the scale set or create a simple PowerShell script to install it, both would work, though installing through the arm template is a much better practise as it increases automation and allows more to be spun up with ease.
Next, open the arm template file for the cluster (used for deployment of the cluster to an environment) and in the parameters section, remove the certificate Thumbprint and then add:
This will allow you to add the common name during deployment via AzureDevOps with a new parameter called certificateCommonName. The process to install the certificate on the virtual machine scale set via the arm template (the prefered method) involves going into the
Microsoft.Compute/virtualMachineScaleSets section and removing the thumbprint section
As a final change in the arm template, at the Microsoft.ServiceFabric/cluster section, update the API to 2018-02-01 and add a certificateCommonNames setting with a commonNames property and remove the certificate setting (with the thumbprint property).
Once this is all done, just redeploy the arm template to the environment and it will have the new certificate. This will allow any future deployments to only require a simple redeploy with a new cert as the parameter on top of the existing one rather a complete rebuild and remake of the system.