I want to secure my services using Azure API Management Resource and a client certificate.
According to the following documentation, I uploaded my self-signed root certificate in CA Certificate as Root.
Inside API policies, I'm asking for the certificate validation:
<when condition="@(!context.Request.Certificate.VerifyNoRevocation())">
<return-response>
<set-status code="403" reason="Not verified certificate" />
</return-response>
</when>
The Root CA is not the issuer of the client cert: I have two intermediates CA:
Root => Inter1 => Inter2 => Client
So I provide the chain, using curl.
curl --cert-type pem --cacert full-chain.pem --cert user.crt --key user.key https://my-api-management-url -i
But APIM doesn't seem to use the provided chain to validate it against the uploaded Root CA. The only time I could passed the check was when I put the Inter2 as CA Certificate in APIM.
There is a setting to allow APIM to use the provided chain or does APIM can only check if the CA is the issuer of the client certificate?
For information, the chain is valid when I try to call a NginX server with the same Root CA and the same curl command (just changing URL, of course).
VerifyNoRevocationindicates the verification against a CRL/CDP and/or OCSP. As you write self-signed I guess nothing like this is in place, right? – Daniel Fisher lennybaconIf you are using self-signed certificates, you will need to disable certificate chain validation in order for API Management to communicate with the backend system. Otherwise it will return a 500 error code. To configure this, you can use the New-AzApiManagementBackend (for new back end) or Set-AzApiManagementBackend (for existing back end) PowerShell cmdlets and set the -SkipCertificateChainValidation parameter to True.Doesn't that mean, that you just can't verify the chain yet? – DSpirit