Share via

Why do I get 'Certificate cannot be referenced by thumbprint'

Fredrik Visterlind 0 Reputation points
2023-08-03T13:17:34.7566667+00:00

Hi,

When configuring API to use client certificate for gateway authentication I get this error.

One or more fields contain incorrect values:
Error in element 'authentication-certificate' on line 4, column 10: The Certificate with id 'test-cert' and thumbprint '...' is configured with KeyVault secret '...' and cannot be referenced by thumbprint. Please reference it with certificate-id 'test-cert' in the policy.

clientcert

I've followed this guide:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates

Using a self-signed certificate created in Azure Key Vault.

Have configured Azure RBAC access.

Also I'm using API Management Consumption Tier.

How can I solve this? Is there a way to reference it with certificate-id instead?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,158 questions
Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,848 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sonny Gillissen 3,346 Reputation points
    2023-08-04T14:59:43.4433333+00:00

    Hi Fredrik Visterlind,

    Thank you for reaching out on Microsoft Q&A!

    Indeed, you found the correct solution yourself by providing the certificate-id instead of the thumbprint. Reason for this being: when a new certificate is enrolled your thumbprint may change but your id does not. Therefor you don't have to replace your certificate in-code each time a new certificate is enrolled.

    Even though you found the solution yourself I did want to elaborate more on it for you and other to make sense on why this is necessary :-)

    Please click “Accept answer” if you find this helpful. Feel free to drop additional queries in the comments below!

    Kind regards,

    Sonny

    0 comments
  2. JamesTran-MSFT 36,496 Reputation points Microsoft Employee
    2023-08-07T20:02:13.8166667+00:00

    @Fredrik Visterlind

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

    Error Message:

    One or more fields contain incorrect values: Error in element 'authentication-certificate' on line 4, column 10: 

The Certificate with id 'test-cert' and thumbprint '...' is configured with KeyVault secret '...' and cannot be referenced by thumbprint. Please reference it with certificate-id 'test-cert' in the policy.

    Issue:

    When trying to secure your backend services using client certificate authentication in Azure API Management, you were running into the above error when configuring your API to use the certificate for gateway authentication.

    Solution:

    In order to resolve your issue, you added the certificate-id within your code.

    <policies>
    <inbound>
        <base />
        <set-backend-service id="apim-generated-policy" backend-id="WebApp_test-app" />
        <authentication-certificate certificate-id="test-cert" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.