Azure APIM - how to validate client certificate using context.Request.Certificate.Verify()

0
votes

I am trying to validate a client certificate in Azure API management using context.Request.Certificate.Verify() method. I have tried the following steps:

  1. I have created self signed root CA certificate and then created a client certificate and key file.
  2. Now from postman, I am trying to call a method attaching the client certificate. I have verified that the certificate is sent to APIM via trace.
  3. Have uploaded the root CA certificate in APIM -> CA certificates. While uploading I converted to ".cer" file as it is not accepting ".crt" file and set the Store as "Trusted root".
  4. In APIM policy, have used the method to validate the client certificate via context.Request.Certificate.Verify().

Now, when I try to call APIM api with client certificate, the above method (step 4) is always coming as False, verified from apim trace. Not sure, what and where I am doing wrong things. Any help/guidance or any article is really helpful.

2
azureazure-api-management

2 Answers

0
votes

For client certificate validation in Azure API management generally following steps are required.

  1. Generate a root CA , intermediate CA along with the client certificates.
  2. Upload the intermediate certificate which validate client certificates sent by the user.

You van utilize this guide to set up the CA.

0
votes

I faced the similar issues, Investigation Summary / Cause are below:

  • Later customer encountered issue again when they sent PFX certificate as a client certificate to APIM from Postman.
  • The self signed certificate CRL distribution list (Urls in certificate revocation lists) and Access information cannot be publicly reached (APIM is public hosted and not internal) hence certificate.verify fails

2 options to fix the issue

  • Purchase a certificate from a Public trusted CA
  • Use context.Request.Certificate.VerifyNoRevocation instead of context.Request.Certificate.Verify so that APIM will not check the revocation list during certificate.verify

Note: If certificate.verify is a mandatory order from your security team, then you would have to purchase a certificate from trusted CA o you need to VerifyNoRevocation since apim cannot retrieve revocation list information and VerifyNoRevocation will still perform verifying certificate path as well