stackoom
  简体   繁体   中英

Azure Portal: API Management check client certificates

 原文  2019-03-07 16:52:34       azure/ api/ certificate/ azure-api-management/ azureportal

Question

Is it possible to check a client certificate, that is sent with a GET https API call, against the certificates that are in the API Manager client certificate store?

In the Azure portal, it is only possible to upload client certificates with a private key and password. Clients however, will never send the private key part of their certificate with their password.

Azure gives an error when I try to upload a client certificate with only the public key.

According to the Azure Portal API Management documentation, it should be possible: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients

2 answers

solution1
 1  2019-03-08 19:10:59

Those two things are separate features. You upload client certificates (pfx with private key) into APIM when you want to use that certificate to authenticate calls APIM makes to backend.

If you want to validate certificate client sends to APIM you can go very simple with just checking, say, thumbprint of context.Request.ClientCertificates in choose policy, or you can call Verify or VerifyNoRevocation on a certificate if it has complete chain. You can upload own CA certificates into APIM to make it so.

solution2
 1  2019-03-27 03:21:45

it's currently not possible to upload a client certificate with just a public key.

You can verify the client certificate used to call your API using a custom policy (as indicated in the link that you provided), checking the certificate thumbprint, for example (so no need to actually upload any certificate).

eg like this: 

<policies>
    <inbound>
        <base />
        <choose>
            <when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != "F81E3171FA085BC04C83B6644B9F229F0CBA8E57")">
                <return-response>
                    <set-status code="403" reason="Invalid client certificate" />
                </return-response>
            </when>
        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure API Management Developer Portal Give Azure web api client access to web api via Azure management portal Azure API Management/Portal: activate Mocking for “Try Out” in API Portal Customizing the Azure API Management developer portal Azure API Management without Developer Portal developer portal in azure management api is not correctly working Azure API Management Client Authentication Azure Management Portal security Purpose of Azure Management Certificates Configure Application Gateway with API Management using Azure Portal
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM