Azure API Management - Incoming certificate is ignored

Celia Navarro 1 Reputation point
2022-09-05T07:00:43.647+00:00

I have implemented an API Management logic in the inbound policies so that some of the received certificate information is passed to an external service that does some checks on that information and returns true or false depending on the case. If validated, the call will continue through the backend URL.

The API Management is implemented in Consumption tier, with its corresponding Request client certificate properly set to Yes.

The problem is, this logic is only executed when the incoming certificate includes the private key (e.g. .pfx format). When the incoming certificate is public, the API management doesn't even execute the inbound policy, but rejects the incoming call with a 403 Forbidden.

I know it doesn't get to the inbound policy because I added this piece of code at the very beginning for testing purposes: 

<choose>  
    <when condition="@(context.Request.Certificate == null || context.Request.Certificate.Issuer != "My expected certificate issuer")" >  
        <return-response>  
            <set-status code="403" reason="Invalid client certificate" />  
        </return-response>  
    </when>  
</choose>

And when the certificate is public, I don't get the 'Invalid client certificate' message but the standard 'Forbidden'.

As all available setups in the API Management refer to certificates with key (e.g. you cannot upload in the Certificates tab a public certificate, and when selecting one from the key vault, it will include of course the private key), I wonder whether the incoming certificate must also include the key as a requirement.

  • Is there any requirement on that matter that forces the incoming certificate to include the private key?
  • If this is not the case, what might be missing in my setup, for the incoming certificates to be accepted?
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,782 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,956 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JananiRamesh-MSFT 21,861 Reputation points
    2022-10-03T15:47:59.757+00:00

    Hi @Celia Navarro , As discussed earlier It is not possible to perform client certificate authentication without a private key for example consider postman as a client and you must provide a private key. If postman doesn't have the private key, it cannot perform client certificate authentication with APIM.

    you mentioned that you were getting 403 forbidden error when you attach the public certificate, If there is not private key the certificate will not be sent in the request and hence it resulted in 403 response code.

    Using OCP-APIM-trace you can verify if the certificate is added to the incoming request or not.
    https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-api-inspector#trace-a-call

    let me know incase of further queries, I would be happy to assist you.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    0 comments