Options to Configure the Azure Management Certificate for Azure Burst Deployments
Applies To: HPC Pack 2016, Microsoft HPC Pack 2012, Microsoft HPC Pack 2012 R2
Before you can deploy Azure nodes in your Windows HPC cluster, a management certificate must be uploaded to your Azure subscription. A corresponding certificate must be configured on the head node computer (or on each of the head node computers, if the head node is configured for high availability). For certain scenarios with some versions of HPC Pack, a certificate must also be configured on a client computer that is used to manage the cluster and that needs a connection to Azure.
Overview
The following table summarizes the required configuration for the management certificate for Azure node deployments. The exact configuration steps required depend on the source of the management certificate, the version of HPC Pack running on the cluster, and your cluster configuration. See the scenarios in the rest of this topic for examples.
Location | Certificate store | Type |
---|---|---|
Azure subscription | Subscription settings | Certificate only (.cer) |
Head node(s) | Local Computer\Personal | Certificate with private key (.pfx) |
Local Computer\Trusted Root Certification Authorities | Certificate only (.cer) | |
Current User\Personal (not needed starting with HPC Pack 2012 with SP1) | Certificate with private key (.pfx) | |
Client computer | Current User\Personal (not needed starting with HPC Pack 2012 with SP1) | Certificate with private key (.pfx) |
Current User\Trusted Root Certification Authorities (not needed starting with HPC Pack 2012 with SP1) | Certificate only (.cer) |
Note
If you plan deployments of Azure nodes with more than one Azure subscription, make sure that you configure all the management certificates that you need.
For more information about the Azure subscription and the options to obtain a management certificate for deployments of Azure nodes with HPC Pack, see Requirements to Add Azure Nodes with Microsoft HPC Pack.
To import or export certificates to certificate stores on a computer, an account with appropriate rights and permissions must be used. For general information about using the Certificates snap-in to perform certificate export and import, see the documentation for your version of Windows Server.
Scenario 1: Configure the Default Microsoft HPC Azure Management certificate
Important
This scenario is not supported starting in HPC Pack 2016.
In versions of HPC Pack before HPC Pack 2016, the Default Microsoft HPC Azure Management certificate is generated automatically on the head node (or head nodes) when HPC Pack is installed. This certificate is self-signed and unique to your installation of HPC Pack. This certificate is provided for testing purposes and proof-of-concept deployments. It simplifies but does not eliminate all certificate configuration tasks for Azure node deployments.
At installation, the Default Microsoft HPC Azure Management certificate is automatically imported to the required certificate stores for the local computer, and the %CCP_HOME%\bin\hpccert.cer file is generated. This file can then be uploaded to the Azure subscription by using the Azure portal or other tools for Azure. The additional tasks that you have to perform to use this certificate are described in this section.
The following figure shows the two certificate stores on the head node (or head nodes) where the Default Microsoft HPC Azure Management certificate is imported automatically when HPC Pack (starting with HPC Pack 2008 R2 with SP3) is installed.
The green arrows at the right of the figure show the following additional certificate stores where the HPC administrator needs to manually import the certificate for HPC Pack 2008 R2 with SP3, HPC Pack 2008 R2 with SP4, or HPC Pack 2012 RTM:
On each head node, import the certificate (with a private key) to the Current User\Personal store.
On a client computer used to manage the cluster and that needs a connection to Azure, import the certificate (with a private key) to the Current User\Personal store, and import the certificate in CER format (without a key) to the Current User\Trusted Root Certification Authorities store. If you do not use a client computer to manage the cluster, these steps are not necessary.
Use the following procedures to complete these tasks if they are needed.
Note
- If you are running at least HPC Pack 2012 with SP1, the Default Microsoft HPC Azure Management is automatically imported to the necessary certificate stores on the head node. No further configuration on the head node is needed, and no configuration on a client computer is needed. The certificate only needs to be uploaded to the Azure subscription.
- If you are running HPC Pack 2008 R2 with SP1 or HPC Pack 2008 R2 with SP2, the Default Microsoft HPC Azure Management, with its private key, is automatically imported only to the Local Computer\Trusted Root Certification Authorities store on the head node. It is not required to import the certificate (with a private key) to additional stores on the head node. However, as a security best practice, it is recommended that you update your private key certificate configurations to those expected starting with HPC Pack 2008 R2 with SP3.
Important
- Only use the Certificates snap-in to import and export the certificate. Do not install the certificate by opening the file in Windows Explorer.
- You cannot copy the certificate from a certificate store on one computer and paste it in a store on another computer.
To upload the Default Microsoft HPC Azure Management certificate to the Azure subscription
Sign in to the Azure portal.
Click Subscriptions > your_subscription_name.
Click Management certificates > Upload.
Browse for the file %CCP_HOME%\bin\hpccert.cer.
To export the Default HPC Azure Management Certificate in PFX format by using the Certificates snap-in
On the head node, start the Microsoft Management Console. For example, at a command prompt, type
mmc
.On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
In Available snap-ins, click Certificates, and then click Add.
Select Computer account, and then click Next.
Important
For this procedure you must select Computer account. Do not select another option on this page.Select Local computer, and then click Finish. Click OK.
In the console tree, expand Certificates, expand Personal, and then click Certificates.
In the details pane, click Default Microsoft HPC Azure Management.
To export the certificate in PFX format, do the following:
On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.
On the Export Private Key page, click Yes, export the private key. Click Next.
On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.
On the Password page, type and confirm the password that you want to use to encrypt the private key. Click Next.
Follow the pages of the wizard to export the certificate in PFX format.
Important
A PFX formatted file that is exported is password protected. However, it should always be stored in a secure location.
To import the Default Windows Microsoft HPC Azure Management certificate to the Current User\Personal store on the head node
On the head node, start the Microsoft Management Console. For example, at a command prompt, type
mmc
.On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
In Available snap-ins, click Certificates, and then click Add.
Select My user account, and then click Finish.
In the console tree, expand Certificates – Current User, and then expand Personal.
To import the PFX formatted certificate, right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .pfx file to the Personal store.
Important
If you want, select the option to mark the key as exportable. This allows other HPC administrators to export the certificate with the private key at a later date. If you do not want to mark the key as exportable, store the .pfx file for the management certificate in a secure location and make it available to other HPC administrators when needed.After the certificate is imported, it appears in the details pane in the Certificates snap-in. You can double-click the certificate to check its status and to view details such as the thumbprint.
To import the Default Windows Microsoft HPC Azure Management certificate to certificate stores on a client computer used to administer the cluster
Log on to the client computer using the appropriate cluster administrator account.
Start the Certificates snap-in to manage user certificates. For example, at a command prompt, type
certmgr.msc
.To import the PFX formatted certificate to the Current User\Personal store, do the following:
In the console tree, expand Certificates, and then expand Personal.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .pfx file to the Personal store.
Warning
As a security best practice, unless you have a specific reason to do it, do not select the option to mark the key as exportable when you import it to the Current User\Personal store.To import the CER formatted certificate to the Current User\Trusted Root Certification Authorities store, do the following:
In the console tree, expand Certificates, and then expand Trusted Root Certification Authorities.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the hpccert.cer file to the Trusted Root Certification Authorities store.
Additional considerations
- If you uninstall HPC Pack, the Default Microsoft HPC Azure Management certificate on the head node is not deleted. Both the hpccert.cer file and the Default Microsoft HPC Azure Management certificates in the certificate stores on the head node remain after uninstallation. If you reinstall HPC Pack at a later time, the Default Microsoft HPC Azure Management is not regenerated.
Scenario 2: Configure a self-signed certificate or a certificate from an unknown certification authority
To use your own self-signed certificate, or a certificate issued by a certification authority (CA) that is not already trusted, the HPC administrator for a cluster created with HPC Pack 2008 R2 with SP3, HPC Pack 2008 R2 with SP4, or HPC Pack 2012 RTM needs to perform all the manual configuration steps shown by the green arrows in the following figure on each head node and (if necessary) on any client computer that is used to manage the cluster.
Note
Starting with HPC Pack 2012 with SP1, the self-signed certificate only needs to be imported in the Local Computer\Personal and Local Computer\Trusted Root CAs stores.
For example, a self-signed X.509 v3 certificate can be created by using the makecert.exe tool, which is automatically installed with certain versions of Microsoft Visual Studio and the Windows SDK. The resulting certificate can then be imported to the necessary certificate stores on the head node and on client computers. Use the following procedures to complete these tasks if they are needed.
Important
- Only use the Certificates snap-in to import and export the certificate. Do not install the certificate by opening the file in Windows Explorer.
- You cannot copy the certificate from a certificate store on one computer and paste it in a store on another computer.
- In more recent versions of Windows, it's recommended to use the New-SelfSignedCertificate Windows PowerShell cmdlet to create a self-signed certificate.
To create a self-signed certificate by using makecert
Open a Visual Studio command prompt or a Windows SDK command prompt.
To create a self-signed X.509 certificate with key length 2048, install it in the Current User\Personal certificate store with the name WinAzureHPCCert, and create a corresponding CER file HPCcert.cer, type a command similar to the following:
makecert -r -pe -a sha1 -n "CN=WinAzureHPCCert" -ss My -len 2048 -sp "Microsoft Enhanced RSA and AES Cryptographic Provider" -sy 24 HPCcert.cer
To upload the self-signed certificate to the Azure subscription
Sign in to the classic portal.
Click Settings, click Management Certificates, and then click Upload
Browse for the file HPCcert.cer (the certificate file that you created by using makecert.exe).
To export the self-signed certificate in PFX format by using the Certificates snap-in
On the computer where you generated the self-signed certificate, start the Microsoft Management Console. For example, at a command prompt, type
mmc
.On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
In Available snap-ins, click Certificates, and then click Add.
Select My user account, and then click Finish. Click OK.
In the console tree, expand Certificates, expand Personal, and then click Certificates.
In the details pane, click WinAzureHPCCert (the name of the self-signed certificate that you created by using makecert.exe).
To export the certificate in PFX format, do the following:
On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.
On the Export Private Key page, click Yes, export the private key. Click Next.
On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.
On the Password page, type and confirm the password that you want to use to encrypt the private key. Click Next.
Follow the pages of the wizard to export the certificate in PFX format.
Important
A PFX formatted file that is exported is password protected. However, it should always be stored in a secure location.
To import the self-signed certificate to certificate stores on the head node
On the head node, start the Microsoft Management Console. For example, at a command prompt, type
mmc
.On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
In Available snap-ins, click Certificates, and then click Add.
Select Computer account, and then click Next.
Select Local computer, and then click Finish.
In Available snap-ins, click Certificates, and then click Add.
Select My user account, and then click Finish. Click OK.
To import the PFX formatted certificate to the Local Computer\Personal store, do the following:
In the console tree, expand Certificates (Local Computer), and then expand Personal.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .pfx file to the Personal store.
Important
If you want, select the option to mark the key as exportable. This allows other HPC administrators to export the certificate with the private key at a later date. If you do not want to mark the key as exportable, store the .pfx file for the management certificate in a secure location and make it available to other HPC administrators when needed.After the certificate is imported, it appears in the details pane in the Certificates snap-in. You can double-click the certificate to check its status and to view details such as the thumbprint.
To import the CER formatted certificate to the Local Computer\Trusted Root Certification Authorities store, do the following:
In the console tree, expand Certificates (Local Computer, and then expand Trusted Root Certification Authorities.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .cer file (without the private key) to the Trusted Root Certification Authorities store.
To import the PFX formatted certificate to the Current User\Personal store, do the following:
In the console tree, expand Certificates – Current User, and then expand Personal.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .pfx file (with the private key) to the Personal store.
To import the self-signed certificate to certificate stores on a client computer
Log on to the client computer using the appropriate HPC administrator account.
Start Certificate Manager. For example, at a command prompt, type certmgr.msc.
In the console tree, expand Certificates, and then expand Personal.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .pfx file (with the private key) to the Personal store.
In the console tree, expand Certificates, and then expand Trusted Root Certification Authorities.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .cer file (without the private key) to the Trusted Root Certification Authorities store.
Scenario 3: Configure a certificate from a trusted CA
To use a certificate issued by a public or enterprise CA that is already trusted, the HPC administrator for a cluster created with HPC Pack 2008 R2 with SP3, HPC Pack 2008 R2 with SP4, or HPC Pack 2012 RTM performs the manual configuration steps shown by the green arrows in the following figure on each head node and (if necessary) on any client computer that is used to manage the cluster.
Note
- Because the certificate is issued by a trusted CA, a trusted root certificate should already be configured on the computers, and it should not be necessary to import a certificate to the Trusted Root Certification Authorities store.
- Starting with HPC Pack 2012 with SP1, the trusted certificate only needs to be imported in the Local Computer\Personal store.
Use the following procedures to complete these tasks.
Important
- Only use the Certificates snap-in to import and export the certificate. Do not install the certificate by opening the file in Windows Explorer.
- You cannot copy the certificate from a certificate store on one computer and paste it in a store on another computer.
To export the trusted certificate in PFX format and in CER format by using the Certificates snap-in
On the head node computer, start the Microsoft Management Console. For example, at a command prompt, type
mmc
.On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
In Available snap-ins, click Certificates, and then click Add.
Select Computer account, and then click Next. Click OK.
Select Local computer, and then click Finish. Click OK.
In the console tree, expand Certificates, expand Trusted Root Certification Authorities, and then click Certificates.
In the details pane, click the trusted certificate.
To export the certificate in PFX format, do the following:
On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.
On the Export Private Key page, click Yes, export the private key. Click Next.
On the Export File Format page, select Personal Information Exchange – PKCS #12 (.PFX). Click Next.
On the Password page, type and confirm the password that you want to use to encrypt the private key. Click Next.
Follow the pages of the wizard to export the certificate in PFX format.
Important
A PFX formatted file that is exported is password protected. However, it should always be stored in a secure location.To export the certificate in CER format, do the following:
On the Action menu, point to All Tasks, and then click Export. The Certificate Export Wizard appears. Click Next.
On the Export Private Key page, click No, do not export the private key. Click Next.
On the Export File Format page, select DER encoded binary X.509 (.CER). Click Next.
Follow the pages of the wizard to export the certificate in CER format.
To upload the certificate to the Azure subscription
Sign in to the classic portal.
Click Settings, click Management Certificates, and then click Upload
Browse for the .cer file that you exported previously from the Trusted Root Certification Authorities store.
To import the certificate to certificate stores on the head node
On the head node, start the Microsoft Management Console. For example, at a command prompt, type
mmc
.On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.
In Available snap-ins, click Certificates, and then click Add.
Select Computer account, and then click Next.
Select Local computer, and then click Finish.
In Available snap-ins, click Certificates, and then click Add.
Select My user account, and then click Finish. Click OK.
To import the PFX formatted certificate to the Local Computer\Personal store, do the following:
In the console tree, expand Certificates (Local Computer), and then expand Personal.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .pfx file to the Personal store.
Important
If you want, select the option to mark the key as exportable. This allows other HPC administrators to export the certificate with the private key at a later date. If you do not want to mark the key as exportable, store the .pfx file for the management certificate in a secure location and make it available to other HPC administrators when needed.After the certificate is imported, it appears in the details pane in the Certificates snap-in. You can double-click the certificate to check its status and to view details such as the thumbprint.
To import the PFX formatted certificate to the Current User\Personal store, do the following:
In the console tree, expand Certificates – Current User, and then expand Personal.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .pfx file (with the private key) to the Personal store.
To import the certificate to certificate stores on a client computer
Log on to the client computer using the appropriate HPC administrator account.
Start Certificate Manager. For example, at a command prompt, type certmgr.msc.
In the console tree, expand Certificates, and then expand Personal.
Right-click Certificates, point to All Tasks, and then click Import. The Certificate Import Wizard appears.
Follow the pages of the wizard to import the .pfx file (with the private key) to the Personal store.
Troubleshoot certificate problems
The following table lists some common problems when configuring a management certificate in an Azure node template or when deploying Azure nodes, along with possible causes and resolution steps.
Problem | Possible causes | Resolution |
---|---|---|
No certificate available when browsing for management certificates |
- Private key certificate is not imported to a required certificate store - Certification authority of root certificate is not trusted |
Import the certificate to all required certificate stores, as described earlier in this topic. Note: The required certificate stores in HPC Pack 2008 R2 with SP1 or HPC Pack 2008 R2 with SP2 differ from those in later versions of HPC Pack. More recent versions of HPC Pack provide a more secure configuration. |
There was a problem with the certificate with thumbprint: <thumbprint> error after entering a certificate thumbprint or selecting a certificate |
- Certificate thumbprint is not properly formatted or does not correspond to a certificate in a required certificate store - Certificate chain is broken - Certificate is not properly imported into a certificate store - Certificate is expired |
- Ensure that the certificate thumbprint contains the required number of characters, does not contain spaces, and corresponds to the proper authentication certificate. - Verify that the certification authority that issued the certificate is trusted. If necessary, establish the trust relationship. To do this on the head node, import the certificate without its private key (the certificate in CER format) to the Local Computer\Trusted Root Certification Authorities store. - In the Certificates snap-in, double-click the certificate and check that the certificate does not display configuration errors such as The CA Root certificate is not trusted or The certificate has expired or is not yet valid. |
The remote server returned an error: (403) Forbidden error message after entering a valid certificate thumbprint or browsing to select a certificate |
Certificate is not added to the Azure subscription | Upload the certificate to the Azure subscription by using the classic portal. |
The request was aborted: Could not create SSL/TLS secure channel error message after browsing to select the Default Microsoft HPC Azure Management certificate |
The hpccert.cer file generated by HPC Pack does not match the certificate files that are imported to the certificate stores on the head node | Regenerate the Default Microsoft HPC Azure Management certificate as follows: - Delete the hpccert.cer file on the head node (or head nodes). - Restart the HPC Management service. - Confirm that the certificate is imported to the certificate stores on the head node. - Upload the certificate to the Azure subscription by using the Azure classic portal. |