CERTIFICATE DNS IS INVALID during certificate portion of installer

Category: azure stack


johnwildes on Tue, 11 Jul 2017 13:35:24


I'm trying to install the App Service RC1 in my Azure Stack environment.  Following the steps in the guide, I've created my certificates using the powershell script.  That part completed successfully, but when I use the output PFX and CER file I get CERTIFICATE DNS IS INVALID error and cannot proceed through the installer.

reviewing the certificates doesn't show anything out of the ordinary.  

Please advise


John Wildes | Azure Cloud Architect | ViON Corporation


Alok.Pagariya on Tue, 11 Jul 2017 19:06:04

Hi -

Can you share the parameters you passed to Create-AppServiceCerts.ps1 ?

For Azure SDK deployment (1 node) below are the sample parameters.

.\Create-AppServiceCerts.ps1 -pfxPassword ****** -DomainName "local.azurestack.external" -CertificateAuthority "AzS-CA01.azurestack.local"

As part of validation during deployment, it checks for below values in Subject Alternative Name (SAN)

Below is updated information
App Service wildcard cert (App Service default SSL certificate file (*.pfx):)
DNS Name=*.appservice.local.azurestack.external
DNS Name=*.scm.appservice.local.azurestack.external

App Serviuce api cert (Resource provider SSL certificate file (*.pfx)):
DNS Name=api.appservice.local.azurestack.external

For Create Identify script (Post deployment step)
CN = sso.appservice.local.azurestack.external

Hope this helps.



Ruud Borst on Wed, 12 Jul 2017 12:13:40

Hi John, be sure you get them from the right directory. This is how the folder structure looks like.

johnwildes on Wed, 12 Jul 2017 13:35:46


I used a different domain name, one that I used while installing the Azure Stack.  

The domain name is herndonlab.azurestack.external, rather than local.azurestack.external. 

The certificates create successfully.  I have all of the certs that I should have according to the instruction.

johnwildes on Wed, 12 Jul 2017 13:37:28


Thanks for the reply, I used C:\Temp for my location of the App Service utilities, so my certificates are in C:\Temp but I have all the ones you show above.  I used a custom domain name during the installation of Azure Stack so my domain is not local.azurestack.external, it is herndonlab.azurestack.external because I have multiple POC locations I'm building. 

I am pulling them from the right directory when I run the installer, it just happens to not be the same one as you have up there.



Alok.Pagariya on Wed, 12 Jul 2017 18:59:27

Can you please share deployment logs ? It should be generated in same folder from where you are running installer.

Also share ARM endpoint metadata.

For example on my AAD environment it is : 

Browse to : https://adminmanagement.local.azurestack.external/metadata/endpoints?api-version=1.0


Ruud Borst on Thu, 13 Jul 2017 07:43:39

Ah, I did not yet deployed ASDK with our custom domain. I will deploy it today and see if I hit the same issue.

Jeff Goldner [MSFT] on Tue, 18 Jul 2017 17:16:12

Hi Ruud

Have you succeeded or do you need further assistance?


johnwildes on Thu, 03 Aug 2017 23:36:49

I've actually given up on it, since it's TP3 system not an Azure Stack GA POC software.  I will rebuild and attempt this with GA Azure Stack SDK (POC) and see if the error exhibits itself again.