Azure Portal: API Management check client certificates

Question

Is it possible to check a client certificate, that is sent with a GET https API call, against the certificates that are in the API Manager client certificate store?

In the Azure portal, it is only possible to upload client certificates with a private key and password. Clients however, will never send the private key part of their certificate with their password.

Azure gives an error when I try to upload a client certificate with only the public key.

According to the Azure Portal API Management documentation, it should be possible: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients

Vitaliy Kurokhtin Vitaliy Kurokhtin · Accepted Answer · 2019-03-08T19:10:59

Those two things are separate features. You upload client certificates (pfx with private key) into APIM when you want to use that certificate to authenticate calls APIM makes to backend.

If you want to validate certificate client sends to APIM you can go very simple with just checking, say, thumbprint of context.Request.ClientCertificates in choose policy, or you can call Verify or VerifyNoRevocation on a certificate if it has complete chain. You can upload own CA certificates into APIM to make it so.

Azure Portal: API Management check client certificates

2 Answers