Share via

APIM Backend "Client certificate" configuration: Does it have any runtime effect without authentication-certificate policy?

Christiaan Bisselink 0 Reputation points
2026-03-05T08:50:51.9033333+00:00

According to the documentation, it is possible to configure a client certificate directly on a Backend entity in Azure API Management:

https://learn.microsoft.com/en-us/azure/api-management/backends?tabs=portal#configure-client-certificate

In the portal this works as follows:

  1. Upload a certificate to the APIM Certificates store.
  2. Select that certificate in the Backend entity under Authorization credentials → Client certificate.

This suggests that the Backend definition can include the certificate required to authenticate to that backend (for example for mutual TLS).

However, in our testing the certificate configured on the Backend entity is not sent during the TLS handshake when APIM calls the backend. The certificate is only presented if we explicitly add the authentication-certificate policy in the API policy, for example:

<authentication-certificate certificate-id="my-cert-id" />

Without that policy, the TLS handshake occurs without a client certificate even though the Backend entity has one configured.

Microsoft Azure Support indicated that this is “by design” and that the Backend client certificate configuration is declarative only, meaning the certificate must always be explicitly referenced in policy.

This is confusing because other credentials configured on the Backend entity (for example Basic authentication) are automatically applied at runtime without requiring a policy.

Questions:

  1. Is it expected that a client certificate configured on a Backend entity is never automatically applied during outbound TLS?
  2. Does the Backend entity client certificate configuration have any runtime effect without using the authentication-certificate policy?
  3. Is the intended design pattern always:
    • upload certificate
    • configure Backend
    • still explicitly reference the certificate again in policy?

I'm trying to understand whether this is the intended design, a documentation gap, or possibly a configuration issue on our side.

Any clarification from people with APIM experience would be appreciated.

Azure API Management
Azure API Management

An Azure service that provides a hybrid, multi-cloud management platform for APIs.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rakesh Mishra 7,780 Reputation points Microsoft External Staff Moderator
    2026-03-05T10:26:10.3666667+00:00

    Hi @Christiaan Bisselink ,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    Please find the response below to the questions asked and let me know if you have any questions.

    1. Is it expected that a client certificate configured on a Backend entity is never automatically applied during outbound TLS? For standard HTTP (Custom URL) backends, yes, this is expected. Unlike Basic Authentication or Headers configured on a Backend entity - which are automatically injected into the HTTP request. Client certificates dictate the lower-level TLS handshake. For HTTP backends, APIM requires you to explicitly use the <authentication-certificate> policy to instruct the gateway to present the certificate during the outbound TLS connection. Reference: Azure API Management policy reference - authentication-certificate
    2. Does the Backend entity client certificate configuration have any runtime effect without using the authentication-certificate policy? For HTTP backends, it has no automatic runtime effect. It acts purely as a declarative metadata configuration. However, it does have a runtime effect for Service Fabric backends. When configuring a Service Fabric backend in APIM, the gateway automatically uses the client certificate configured on the Backend entity to establish mutual TLS (mTLS) with the Service Fabric management endpoint to securely discover and resolve backend services. In this specific scenario, it works without needing an explicit authentication-certificate policy. Reference: Set up Service Fabric Backend in Azure API Management
    3. Is the intended design pattern always: upload certificate -> configure Backend -> explicitly reference the certificate again in policy? For standard HTTP backends, you actually do not need to configure the client certificate on the Backend entity at all. The intended design pattern is strictly:
      1. Upload/Reference the certificate in the APIM Certificates store (e.g., linked to Azure Key Vault).
      2. Explicitly reference the certificate in your policy using <authentication-certificate certificate-id="your-cert-id" />.
      When you configure a client certificate under Gateway credentials at the API settings level in the Azure Portal, the Portal automatically injects the <authentication-certificate> policy into your API's policy definition for you. As noted in a tip in the official documentation:

      "When a certificate is specified for gateway authentication for the backend service of an API, it becomes part of the policy for that API and can be viewed in the policy editor."

      Reference: Secure backend services by using client certificate authentication in Azure API Management
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.