stackoom
  简体   繁体   中英

Azure APIM - how to validate client certificate using context.Request.Certificate.Verify()

 原文  2020-08-20 19:27:08       azure/ azure-api-management

Question

I am trying to validate a client certificate in Azure API management using context.Request.Certificate.Verify() method. I have tried the following steps:

  1. I have created self signed root CA certificate and then created a client certificate and key file.
  2. Now from postman, I am trying to call a method attaching the client certificate. I have verified that the certificate is sent to APIM via trace.
  3. Have uploaded the root CA certificate in APIM -> CA certificates. While uploading I converted to ".cer" file as it is not accepting ".crt" file and set the Store as "Trusted root".
  4. In APIM policy, have used the method to validate the client certificate via context.Request.Certificate.Verify() .

Now, when I try to call APIM api with client certificate, the above method (step 4) is always coming as False, verified from apim trace. Not sure, what and where I am doing wrong things. Any help/guidance or any article is really helpful.

2 answers

solution1
 0  2020-08-28 22:07:28

For client certificate validation in Azure API management generally following steps are required.

  1. Generate a root CA, intermediate CA along with the client certificates.
  2. Upload the intermediate certificate which validate client certificates sent by the user.

You van utilize this guide to set up the CA.

solution2
 0  2020-08-31 12:47:26

I faced the similar issues, Investigation Summary / Cause are below:

  • Later customer encountered issue again when they sent PFX certificate as a client certificate to APIM from Postman.
  • The self signed certificate CRL distribution list (Urls in certificate revocation lists) and Access information cannot be publicly reached (APIM is public hosted and not internal) hence certificate.verify fails

2 options to fix the issue

  • Purchase a certificate from a Public trusted CA
  • Use context.Request.Certificate.VerifyNoRevocation instead of context.Request.Certificate.Verify so that APIM will not check the revocation list during certificate.verify

Note: If certificate.verify is a mandatory order from your security team, then you would have to purchase a certificate from trusted CA o you need to VerifyNoRevocation since apim cannot retrieve revocation list information and VerifyNoRevocation will still perform verifying certificate path as well

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure APIM: Send a client certificate with send-request mode azure APIM client certificate towards SAP gateway client certificate validation on APIM Azure APIM with certificate authentication error using .pfx certificate Request client certificate by site on Azure Prevent browser from prompting for client certificate in APIM Azure Getting “403 Invalid client certificate” in Azure APIM and also from postman How to verify my client certificate with the Root CA certificate in Azure API Management inbound policy? How to handle client certificate in Azure How to verify an Azure virtual machine RDP certificate?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM