CODEWITHSUNDEEP
azure-application-gateway
Chris Green
Chris Green

Reputation: 1

How can I configure Azure Application Gateway to only accept client certificates with a specific subject

I have configured mutual authentication on an Azure Application Gateway. Currently all client certificates issued by the intermediate CA (as configured on SSL profile) are accepted, but I only want a specific certificate to be granted access, ideally based on the subject of the client certificate. Making changes to the CA that issues the client certificate is not feasible in my case.

Options explored:

  1. Use leaf certificate when configuring SSL profile: app gateway seems to ignore the leaf certificate; all client certificates issued by the intermediate CA are accepted.
  2. Configure a rewrite rule action to pass a server variable (e.g. client_certificate_subject) to backend in a custom request header. This would require changing the backend to interpret the request header, which I’m trying to avoid.
  3. Configure a rewrite rule condition to check server variable (e.g. client_certificate_subject) and conditionally take some action. Ideally the action should set the HTTP response code (without forwarding the request to backend) or rewrite to an error page generated by the app gateway (e.g. HTTP 401 unauthorized / 403 forbidden). Can this be done somehow?
  4. WAF rules don’t seem like a viable option as they don’t have access to server variables

Hoping to find a way of configuring this requirement on the app gateway. Thanks.

Upvotes: 0

Views: 1481

Answers (1)

SKishor-MSFT
SKishor-MSFT

Reputation: 91

I understand that you want to be able to allow specific certificates only based on their subject names etc., to be granted access by the Application Gateway.

You can't use a rewrite rule because in order to "get to" a rule in the first place you have to get through the listener and you can't get through the listener if you can't authenticate with mutual authentication.

At this point, the best way to avoid people from accessing App GW would be to not give the Leaf certificate so they cannot access the same.

Also please note that Application Gateway Mutual Authentication is in preview right now and therefore, it is intended for "Evaluation" and testing, and not production currently. Once it is GA, there will be options to have revocation lists and checks.

Hope this helps. Please do let us know if you have further questions. Thank you!

Upvotes: 0

Related Questions