Azure API Management - Client Certificate Authentication Responsibilities?

Question

When using Azure API Management Gateway its possible to implement client certification authentication to secure access to APIs. You can validate incoming request certs using policy expressions such as thumb checks etc.

When using client cert authentication method, what's the recommended process for certificate generation/management?

1. Cert responsibility?

• Should I/gateway owner be generating the.pfx file (either self signed or by trusted CA), importing it to the gateway service and providing external clients with the.cer to install locally and auth with?
• Should I/gateway owner be generating the.pfx file (either self signed or by trusted CA), importing the.pfx to the API Management gateway service (normally I'd imagine importing the.cer on a server/gateway but doesn't seem possible in Azure) and providing external clients with the.pfx to install locally and auth with?
• Should the external client be responsible for generating their public/private key pair in their Org, signing it with a CA, installing it locally and providing me/gateway owner with a.cer file to import to the gateway (as above, not sure its possible to import.cer, I read only.pfx accepted in import process) or provide thumb for me to store/validate in policy?

2. Does anyone have any advice whether to issue clients requiring access to the same API the same (shared) cert or generate a new cert per client? They would all be using the cert to access the same API (+ additional auth methods, cert is just an extra step).

I've ready online tutorials describing all above bullets and where client-specific or single cert-per-API have been implemented so a little confused which is recommended approach?

Answer 1

1. The easiest way would be to have a single issuing CA certificate, you'd only need to upload its public key to APIM as that is all that's needed for APIM to validate incoming certificate. Then you'll be responsible to generate client certificates and distribute them to clients. In APIM you can setup a policy that would require certificate, check its issuer and validate, that should be enough to ensure that certificate is valid and issued by you.
   • Relying on self-signed certificates will be a hassle as you'd have to somehow let APIM know of each new certificate, having common issuing CA frees you of that worry.
   • Same goes for allowing remote clients to generate certificate - they would have to let you know of certificate and you'd need to list it in APIM one way or another.
2. You're free to decide how exactly to distribute certificates, a few things to consider:
   • Likely certificate will be your main way to tell clients apart. If that is important you may want to have different clients have different certificates.
   • If you want to deny access to a particular client you'll "revoke" that certificate, you need to make sure that other legitimate clients won't be affected.