使用自动化帐户从azure密钥库安装SSL证书

时间:2019-05-24 08:08:32

标签: azure ssl automation azure-keyvault

我有一些问题。 我在密钥库中有来自LetsEncrypt的一些SSL证书,我想自动将证书以天蓝色的方式自动安装到VM。我用一些代码创建运行手册:

$connectionName = "AzureRunAsConnection"
try
{# Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         
    "Logging in to Azure..."
    Add-AzureRmAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
}
catch {if (!$servicePrincipalConnection)
    {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else{
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}$certUrl = (Get-AzureKeyVaultSecret -VaultName "MyVault" -Name "letsecrypt-my-cert").Id;
$vm=Get-AzureRmVM -ResourceGroupName "MyRS" -Name "MyVm"
$vaultId=(Get-AzureRmKeyVault -VaultName "MyVault").ResourceId
$certStore = "MySSL"
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore $certStore -CertificateUrl $certURL
Update-AzureRmVM -ResourceGroupName "MyRS" -VM $vm

它将ssl安装到我的VM,但是我想检查证书的某些参数并运行此脚本,例如:如果证书已更新,请运行安装到vm,否则不执行任何操作。我必须使用哪些参数以及如何检查它们。也许有人执行类似的任务?

1 个答案:

答案 0 :(得分:0)

我通过以下代码修改解决了这个问题:

$connectionName = "AzureRunAsConnection"
try
{
    # Get the connection "AzureRunAsConnection "
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

    "Logging in to Azure..."
    Add-AzureRmAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
}
catch {
    if (!$servicePrincipalConnection)
    {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else{
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}
$certUrl = (Get-AzureKeyVaultSecret -VaultName "MyVault" -Name "letsecrypt-MyCert").Id
$vm=Get-AzureRmVM -ResourceGroupName "MyRG" -Name "MyVm"
$certUrlOnVM=$vm.osProfile.secrets.vaultCertificates.certificateUrl
$vaultId=(Get-AzureRmKeyVault -VaultName "MyVault").ResourceId
$curentDate = Get-Date
$d = $curentDate.day
$m = $curentDate.month
$y = $curentDate.year
$curentDateStr = "$d/$m/$y"
$certStore = "MySSL_"+$curentDateStr
if ($certUrl.equals($certUrlOnVM)){
    "Certificate already installed on VM"
} else {
Get-AzureRmVM -ResourceGroupName "MyRG" -Name "MyVm" | Remove-AzureRmVMSecret | Update-AzureRmVM
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore $certStore -CertificateUrl $certURL
Update-AzureRmVM -ResourceGroupName "MyRG" -VM $vm
"Certificate installed on VM successfully"
}

我在vm上的OSProfile中添加了一些变量,用于在密钥保管库和sectioncertUrl中获取证书url。我检查keyvault和vm中的证书是否相同,我什么也不做,否则,我删除了vm的旧部分并安装了新证书。

相关问题
最新问题