Reputation: 13
How to verify my client certificate with the Root CA certificate in Azure API Management inbound policy?
I have to take my Root CA from Azure key vault inside the Azure APIM inbound policy and verify my requested client certificate inside the policy. For this I have followed the link and able to get the certificate https://github.com/galiniliev/api-management-policy-snippets/blob/galin/AkvCert/examples/Look%20up%20Key%20Vault%20certificate%20using%20Managed%20Service%20Identity%20and%20call%20backend.policy.xml
But I am not able to validate the client certificate by using My Root CA that I have fetched from Azure key vault Following is the values of Root CA that I am getting from Azure key vault {"id":"https://newdev-keyvault.vault.azure.net/certificates/MyRootCA/bf34888e**********","kid":"https://newdev-keyvault.vault.azure.net/keys/MyRootCA/bf34888e*************","sid":"https://newdev-keyvault.vault.azure.net/secrets/MyRootCA/bf34888**************","x5t":"gYbnPUooh4D5_ogrmWCEvfDjYXo","cer":"MIIDFTCCAf2gAwIBAgIUJYAgKiqYPh+Iq1DFULomUlhzNTAwDQYJKoZIhvcNAQELBQAwGjELMAkGA1UEBhMCSW4xCzAJBgNVBAoMAlwuMB4XDTIwMDQxNjA4MTgyOFoXDTMwMDQxNDA4MTgyOFowGjELMAkGA1UEBhMCSW4xCzAJBgNVBAoMAlwuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2EOpy+GxPFCidiW5hGPVlPXuZFfgJdZWITLkUQ2SvcuBfLSsKmPkSpYO7TAFESpBWD0z8y3BYat0hGA2iBhMWzXN0dhbB+bZ6uDdrg0kuGaFmb4fmQ9mydM7cy3NtZA6lf5uTp9RZV4wiUVyKrRgGRzKUxecnFmtCOyk+jeW/Jf38laN1l84eM47UaMJjWD9vg/3QsW3yH+8zst2gWfXN7giQFRCMnzYTRD0VOd3N+C3k2mx72d4DobwbsngIclDHK0BFUckdK8MaOVIixRRQjFTZ/XjRqhPOCZRbgHHldXfx352eYqzOfYOi/utv8s6Xwl/0TI3uj2RTth7CwJkQIDAQABo1MwUTAdBgNVHQ4EFgQUZZMEGpRcswKq23a52gqebZcnloAwHwYDVR0jBBgwFoAUZZMEGpRcswKq23a52gqebZcnloAwDwYDVR0TAQH/BAUwAwEB","attributes":{"enabled":true,"nbf":1587025108,"exp":1902385108,"created":1587036499,"updated":1587036499,"recoveryLevel":"Recoverable+Purgeable"}}
Can anyone help me to verify the client certificates inside the Inbound policy?
Upvotes: 1
Views: 831
Answers (1)
Reputation: 7810
Certificate you obtain dynamically from AKV cannot be used at the moment to validate client certificate from request. The only way is to upload CA certificate to APIM and then call .Validate on request certificate. That will require you to export certificate from AKV and refresh it in APIM every time it changes.
Upvotes: 1
Related Questions
- Azure APIM - how to validate client certificate using context.Request.Certificate.Verify()
- client certificate validation on APIM
- Azure API - AUTHENTICATING APIS WITH A CLIENT CERTIFICATE + OAUTH 2.0
- Add Root CA to Azure App Service for Client Certificate Authentication
- Azure APIM: sending client certificate to backend for authentication
- Adding certificate to Azure APIM from keyvault
- API Management to forward client certificate
- Azure APIM: Send a client certificate with send-request mode
- Azure Portal: API Management check client certificates
- No certificate in X-ARR-ClientCert header when called from Azure API Management