Azure Portal: API Management check client certificates The Next CEO of Stack OverflowAccessing Windows Azure Service Management API using Windows Live IDHow do I deploy a certificate to the Trusted People store in Azure?Azure API Management and HMACImport public certificate to Azure WebsiteSecuring WebApi in Azure Api ManagementAzure API Managment - Configure operations through Codemanage developer portal content via APIWhy a PFX file is required for Client Authentication in Azure API Management for external consumer?AAD in Azure API Management, avoid signup dialogHow do I secure Azure API Management APIs using Azure B2C
Make solar eclipses exceedingly rare, but still have new moons
What did we know about the Kessel run before the prequels?
What connection does MS Office have to Netscape Navigator?
Is there a difference between "Fahrstuhl" and "Aufzug"
Is it my responsibility to learn a new technology in my own time my employer wants to implement?
Would a completely good Muggle be able to use a wand?
Is there a way to save my career from absolute disaster?
How to invert MapIndexed on a ragged structure? How to construct a tree from rules?
Easy to read palindrome checker
Should I tutor a student who I know has cheated on their homework?
Why do remote US companies require working in the US?
Why does standard notation not preserve intervals (visually)
Legal workarounds for testamentary trust perceived as unfair
Is a distribution that is normal, but highly skewed considered Gaussian?
How did people program for Consoles with multiple CPUs?
Reference request: Grassmannian and Plucker coordinates in type B, C, D
Why did CATV standarize in 75 ohms and everyone else in 50?
Can this equation be simplified further?
Why didn't Khan get resurrected in the Genesis Explosion?
Method for adding error messages to a dictionary given a key
Is wanting to ask what to write an indication that you need to change your story?
Does soap repel water?
Is it convenient to ask the journal's editor for two additional days to complete a review?
How to delete every two lines after 3rd lines in a file contains very large number of lines?
Azure Portal: API Management check client certificates
The Next CEO of Stack OverflowAccessing Windows Azure Service Management API using Windows Live IDHow do I deploy a certificate to the Trusted People store in Azure?Azure API Management and HMACImport public certificate to Azure WebsiteSecuring WebApi in Azure Api ManagementAzure API Managment - Configure operations through Codemanage developer portal content via APIWhy a PFX file is required for Client Authentication in Azure API Management for external consumer?AAD in Azure API Management, avoid signup dialogHow do I secure Azure API Management APIs using Azure B2C
Is it possible to check a client certificate, that is sent with a GET https API call, against the certificates that are in the API Manager client certificate store?
In the Azure portal, it is only possible to upload client certificates with a private key and password.
Clients however, will never send the private key part of their certificate with their password.
Azure gives an error when I try to upload a client certificate with only the public key.
According to the Azure Portal API Management documentation, it should be possible:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients
azure api certificate azure-api-management azureportal asked Mar 7 at 16:52
Koen GoovaertsKoen Goovaerts
413
add a comment |
Is it possible to check a client certificate, that is sent with a GET https API call, against the certificates that are in the API Manager client certificate store?
In the Azure portal, it is only possible to upload client certificates with a private key and password.
Clients however, will never send the private key part of their certificate with their password.
Azure gives an error when I try to upload a client certificate with only the public key.
According to the Azure Portal API Management documentation, it should be possible:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients
azure api certificate azure-api-management azureportal asked Mar 7 at 16:52
Koen GoovaertsKoen Goovaerts
413
add a comment |
Is it possible to check a client certificate, that is sent with a GET https API call, against the certificates that are in the API Manager client certificate store?
In the Azure portal, it is only possible to upload client certificates with a private key and password.
Clients however, will never send the private key part of their certificate with their password.
Azure gives an error when I try to upload a client certificate with only the public key.
According to the Azure Portal API Management documentation, it should be possible:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients
azure api certificate azure-api-management azureportal asked Mar 7 at 16:52
Koen GoovaertsKoen Goovaerts
413
Is it possible to check a client certificate, that is sent with a GET https API call, against the certificates that are in the API Manager client certificate store?
In the Azure portal, it is only possible to upload client certificates with a private key and password.
Clients however, will never send the private key part of their certificate with their password.
Azure gives an error when I try to upload a client certificate with only the public key.
According to the Azure Portal API Management documentation, it should be possible:
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients
azure api certificate azure-api-management azureportal azure api certificate azure-api-management azureportal asked Mar 7 at 16:52
Koen GoovaertsKoen Goovaerts
413
asked Mar 7 at 16:52
Koen GoovaertsKoen Goovaerts
413
asked Mar 7 at 16:52
Koen GoovaertsKoen Goovaerts
413
asked Mar 7 at 16:52
Koen GoovaertsKoen Goovaerts
413
asked Mar 7 at 16:52
Koen GoovaertsKoen Goovaerts
413
413
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Those two things are separate features. You upload client certificates (pfx with private key) into APIM when you want to use that certificate to authenticate calls APIM makes to backend.
If you want to validate certificate client sends to APIM you can go very simple with just checking, say, thumbprint of context.Request.ClientCertificates in choose policy, or you can call Verify or VerifyNoRevocation on a certificate if it has complete chain. You can upload own CA certificates into APIM to make it so.
answered Mar 8 at 19:10
Vitaliy KurokhtinVitaliy Kurokhtin
2,7671109
add a comment |
it's currently not possible to upload a client certificate with just a public key.
You can verify the client certificate used to call your API using a custom policy (as indicated in the link that you provided), checking the certificate thumbprint, for example (so no need to actually upload any certificate).
e.g. like this:
<policies>
<inbound>
<base />
<choose>
<when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "F81E3171FA085BC04C83B6644B9F229F0CBA8E57")">
<return-response>
<set-status code="403" reason="Invalid client certificate" />
</return-response>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
answered Mar 27 at 3:21
JamesJames
112
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55049034%2fazure-portal-api-management-check-client-certificates%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Those two things are separate features. You upload client certificates (pfx with private key) into APIM when you want to use that certificate to authenticate calls APIM makes to backend.
If you want to validate certificate client sends to APIM you can go very simple with just checking, say, thumbprint of context.Request.ClientCertificates in choose policy, or you can call Verify or VerifyNoRevocation on a certificate if it has complete chain. You can upload own CA certificates into APIM to make it so.
answered Mar 8 at 19:10
Vitaliy KurokhtinVitaliy Kurokhtin
2,7671109
add a comment |
Those two things are separate features. You upload client certificates (pfx with private key) into APIM when you want to use that certificate to authenticate calls APIM makes to backend.
If you want to validate certificate client sends to APIM you can go very simple with just checking, say, thumbprint of context.Request.ClientCertificates in choose policy, or you can call Verify or VerifyNoRevocation on a certificate if it has complete chain. You can upload own CA certificates into APIM to make it so.
answered Mar 8 at 19:10
Vitaliy KurokhtinVitaliy Kurokhtin
2,7671109
add a comment |
Those two things are separate features. You upload client certificates (pfx with private key) into APIM when you want to use that certificate to authenticate calls APIM makes to backend.
If you want to validate certificate client sends to APIM you can go very simple with just checking, say, thumbprint of context.Request.ClientCertificates in choose policy, or you can call Verify or VerifyNoRevocation on a certificate if it has complete chain. You can upload own CA certificates into APIM to make it so.
answered Mar 8 at 19:10
Vitaliy KurokhtinVitaliy Kurokhtin
2,7671109
Those two things are separate features. You upload client certificates (pfx with private key) into APIM when you want to use that certificate to authenticate calls APIM makes to backend.
If you want to validate certificate client sends to APIM you can go very simple with just checking, say, thumbprint of context.Request.ClientCertificates in choose policy, or you can call Verify or VerifyNoRevocation on a certificate if it has complete chain. You can upload own CA certificates into APIM to make it so.
answered Mar 8 at 19:10
Vitaliy KurokhtinVitaliy Kurokhtin
2,7671109
answered Mar 8 at 19:10
Vitaliy KurokhtinVitaliy Kurokhtin
2,7671109
answered Mar 8 at 19:10
Vitaliy KurokhtinVitaliy Kurokhtin
2,7671109
answered Mar 8 at 19:10
Vitaliy KurokhtinVitaliy Kurokhtin
2,7671109
2,7671109
add a comment |
add a comment |
it's currently not possible to upload a client certificate with just a public key.
You can verify the client certificate used to call your API using a custom policy (as indicated in the link that you provided), checking the certificate thumbprint, for example (so no need to actually upload any certificate).
e.g. like this:
<policies>
<inbound>
<base />
<choose>
<when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "F81E3171FA085BC04C83B6644B9F229F0CBA8E57")">
<return-response>
<set-status code="403" reason="Invalid client certificate" />
</return-response>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
answered Mar 27 at 3:21
JamesJames
112
add a comment |
it's currently not possible to upload a client certificate with just a public key.
You can verify the client certificate used to call your API using a custom policy (as indicated in the link that you provided), checking the certificate thumbprint, for example (so no need to actually upload any certificate).
e.g. like this:
<policies>
<inbound>
<base />
<choose>
<when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "F81E3171FA085BC04C83B6644B9F229F0CBA8E57")">
<return-response>
<set-status code="403" reason="Invalid client certificate" />
</return-response>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
answered Mar 27 at 3:21
JamesJames
112
add a comment |
it's currently not possible to upload a client certificate with just a public key.
You can verify the client certificate used to call your API using a custom policy (as indicated in the link that you provided), checking the certificate thumbprint, for example (so no need to actually upload any certificate).
e.g. like this:
<policies>
<inbound>
<base />
<choose>
<when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "F81E3171FA085BC04C83B6644B9F229F0CBA8E57")">
<return-response>
<set-status code="403" reason="Invalid client certificate" />
</return-response>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
answered Mar 27 at 3:21
JamesJames
112
it's currently not possible to upload a client certificate with just a public key.
You can verify the client certificate used to call your API using a custom policy (as indicated in the link that you provided), checking the certificate thumbprint, for example (so no need to actually upload any certificate).
e.g. like this:
<policies>
<inbound>
<base />
<choose>
<when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "F81E3171FA085BC04C83B6644B9F229F0CBA8E57")">
<return-response>
<set-status code="403" reason="Invalid client certificate" />
</return-response>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
answered Mar 27 at 3:21
JamesJames
112
answered Mar 27 at 3:21
JamesJames
112
answered Mar 27 at 3:21
JamesJames
112
answered Mar 27 at 3:21
JamesJames
112
112
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55049034%2fazure-portal-api-management-check-client-certificates%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
