question

KindaLoutfi-5110 avatar image
0 Votes"
KindaLoutfi-5110 asked KindaLoutfi-5110 edited

Azure Self-hosted Gateway with Custom Client Certificate

I am working with Azure API management.
I have deployed a self-hosted gateway on my local machine, and I want to associate custom client certificates for security.

The documentation available is not clear to me.
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-ca-certificates#create-custom-ca-for-self-hosted-gateway

There is no clear step-by-step guide to know how to use the Gateway Certificate Authority - Create Or Update REST API to associate the certificate with the self-managed gateway.

azure-api-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MayankBargali-MSFT avatar image
1 Vote"
MayankBargali-MSFT answered KindaLoutfi-5110 edited

@KindaLoutfi-5110 There are two steps mentioned in the document that points to a different document.
The first step in the document is to Add a certificate .pfx file to your API Management instance which points to this document where you first upload the .pfx certificate from the portal or using Create or Update APIM Management Create Certificate REST API. The API document does list the parameter/sample request/response from the respective APIs. If you are looking for authenticate the Azure Management API then you need to refer to Azure REST API reference document which has the details on the setup the first time when you want to call any Azure Management API.

The Gateway Certificate Authority - Create Or Update REST API does cover the URI definition and parameter that is used while making the request. Please refer to the sample request . If you are facing any issue/error in building the request or any error then please let me know.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@KindaLoutfi-5110 Just to clarify further, you need to make a REST API request to associate the certificate as of now. This can be done using Postman as covered by the ARM REST API docs or curl if you prefer.

The certificateId would be the ID of the certificate you've uploaded via the portal and the gatewayId would be the ID of the gateway you want to associate it with.

1 Vote 1 ·

@MayankBargali-MSFT , @PramodValavala-MSFT
Thank you so much for your answers
I did all the steps described

  1. I created a PFX certificate and added it to the APIM instance as described here
    https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates#upload-a-certificate

  2. I configured the API to use the certificate as described here
    https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates#configure-an-api-to-use-client-certificate-for-gateway-authentication


(Please continue reading my steps in the second comment because was unable to post my answer in one comment so I had to divide it into two comments)

0 Votes 0 ·

3-I added a policy to the API to enforce checking the certificate

 <choose>
        <when condition="@(context.Request.Certificate == null || context.Request.Certificate.Thumbprint != Certificate-Thumbprint )">
                 <return-response>
                     <set-status code="403" reason="Invalid client certificate" />
                 </return-response>
        </when>
 </choose>

4-I assigned the Certificate to the Self-Hosted Gateway as described here
https://docs.microsoft.com/en-us/rest/api/apimanagement/2021-01-01-preview/gateway-certificate-authority/create-or-update

5-I tried to call the API through the Self-Hosted Gateway using the following request in PowerShell

 Invoke-WebRequest -URI 'https://localhost:8081/hybridapi/test' -Method 'GET' -Headers @{'Ocp-Apim-Subscription-Key'= 'Subscription-Key'} -Certificate (Get-PfxCertificate -FilePath 'Certificate-Path') -CertificateThumbprint 'Certificate-Thumbprint'

But I get an error that says "Unable to retrieve the certificates because the thumbprint is invalid".
However, I am sure that the passed Thumbprint is correct.

0 Votes 0 ·