Presentiments: your Service Fabric cluster must be of version 7.1. Since the automatic rollout was postponed, you would need to temporarily switch to the manual mode, select the latest version, and then switch back once the upgrade is complete. To me it took just a few minutes.
 |  |  |
Before I had the following configuration for a SSL certificate in my application manifest. The endpoint certificate was configured as regular certificate because Service Fabric was not supporting loading it by SNI, and now it does. I also had manually to ACL it to Network Service.
<Principals>
<Users>
<User Name="NetworkServiceUser" AccountType="NetworkService" />
</Users>
</Principals>
<Policies>
<SecurityAccessPolicies>
<SecurityAccessPolicy ResourceRef="SSLCert" PrincipalRef="NetworkServiceUser" GrantRights="Full" ResourceType="Certificate" />
</SecurityAccessPolicies>
</Policies>
<Certificates>
<SecretsCertificate X509FindType="FindBySubjectName" X509FindValue="[SSL_Certificate_SubjectName]" Name="SSLCert" />
</Certificates>
Now it looks like this:
<ServiceManifestImport>
<Policies>
<EndpointBindingPolicy EndpointRef="ServiceTypeEndpoint_Secure" CertificateRef="SSLCert" />
</Policies>
</ServiceManifestImport>
<Certificates>
<EndpointCertificate X509FindType="FindBySubjectName" X509FindValue="[SSL_Certificate_SubjectName]" Name="SSLCert" />
</Certificates>
Once the application is deployed, Service Fabric will start looking for a new certificate by SNI every 1 minutes and ACL it to Network Service (grant it access to the private key) automatically.
Alexander Batishchev's Blog 