How are certificates deployed to roles in Azure CSES?

Question

In regards to deploying certs to role instances of cses, what's the significance of specifying references to certificates in osprofile.secrets (in ARM template while describing cses) and also in .csdef/.cscfg? Do I need to list in both places?

Based on the documentation, the cert list in template.json's osprofile.secrets.vault.certificates 'Specifies set of certificates that should be installed onto the role instances.' Does that mean when a new role is created, cses will install these certificates to the role instance (vm). If yes, how does it know which store to install the certificates to in the VM?

Again, the same set of certificates are also listed in service definition file's (.csdef) certificate element. The documentation for that says, 'declaration of all certificates that need to be deployed'. How is this different from what osprofile.secrets.vault.certificates is doing?

Is it something like one of them (osprofile) specifies certificates that needs to be downloaded (not install) in the role instance? And the other listing, in csdef, means install the certs to the specified store location and store name?

Answer 1

Yes, you need to list the secrets in all three places if you want to use them.

Per the docs, it looks like there's a 3-step dance going on:

1. Secret definitions in the template describe where the secrets are coming from. A particular keyvault certificate, for example.
2. Certificate configuration entries in the CSCFG associate available certificates from the template with names, presumably by thumbprint.
3. Certificate entries in the CSDEF finally associate the certificate named in the CSCFG with a store location, describing where the certificate with a particular name will be installed (/LocalMachine/My, e.g.)

Roughly speaking, it looks like the Secrets in the template have replaced the old Classic cloud service model of "adding" service certificates.