Azure APIM - Chain of trust validation

Question

I have X.509 root ,intermediate certificates and also hundreds of client certificate, I would like to authenticate API end point with mTLS, I have uploaded intermediate certificate in Azure APIM but client certificate is not validated, When I upload single client certificate or refer from azure key vault then the validation works in APIM. But it will be heavy work to upload and maintain hundreds of certificate. Is there any way to make chain of trust validation works in APIM?

Answer 1

NavinKumar VIRARAGAVAN Thanks for posting your question in Microsoft Q&A. Based on your description, you have uploaded the root/intermediate certificates in APIM, but client certificate sent by the client was not validated and need assistance. Is that correct?

I hope you have uploaded a root and all intermediate certificates in CA Certificates section and if not, follow the steps described in doc: How to add a custom CA certificate in Azure API Management. Then, you need to add a policy for certificate validation such as context.Request.Certificate.Verify() (or context.Request.Certificate.VerifyNoRevocation() to disable checking certificate revocation list) and here is doc reference: Certificate validation with context variables.

Note: uploading client certificate is not required but make sure to upload all certificates in the chain of the client certificate. Also, setnegotiateClientCertificate as true as mentioned in docs. I hope this helps with your questions and let me know if you have any other or face issues.

---

If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.