Azure Self hosted Gateway with client certificates

Question

how to protect the APIs on a self hosted gateway from unauthorized use with client certificates?

The documentation on this topic is too unclear for me:

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates#create-custom-ca-for-self-hosted-gateway

Thanks.

Answer 1

• You can validate certificates presented by the connecting client and check certificate properties against desired values using policy expressions.
• For information about securing access to the back-end service of an API using client certificates, refer How to secure back-end services using client certificate authentication
• To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers you must turn on the "Negotiate client certificate" setting on the "Custom domains" blade.

• To receive and verify client certificates in the Consumption tier you must turn on the "Request client certificate" setting on the "Custom domains" blade.

• Policy to validate client certificates - Use the validate-client-certificate policy to validate one or more attributes of a client certificate.
• Certificate validation with context variables - You can also create policy expressions with the context variable to check client certificates.
• Checking the issuer and subject
• Checking the thumbprint
• Checking a thumbprint against certificates uploaded to API Management. For more detailed information please refer secure APIs using client certificate authentication in API Management

Answer 2

the solution is to give the right common name/dns name during the creation of the certificate. After that a gateway hostname must be created inside the gatewaypanel of the self hosted gateway and the uploaded certificate addded and check the checkbox negotiate clientcertificates.