Why does APIM need pfx to securely access backend using client certificate?

Umair Syed 1 Reputation point
2022-01-14T06:39:21.233+00:00

I am trying to access a secured backend from APIM. I have received two root certificates from the client and I need to upload them to APIM (later to KV) so that I can access the backend securely. However the client is not comfortable in providing the private key to me or to the key vault since that goes against the security model in which the consumer only needs a public key.

Why does APIM only accept pfx and why it needs private key?
As a work around, can we generate a pfx with empty private key and will it still work?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,287 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Mike Urnun 9,836 Reputation points Microsoft Employee
    2022-01-25T23:13:44.017+00:00

    Hello @Umair Syed - My apologies for the delayed responses.

    It's not that APIM requires the private key in any proprietary or arbitrary way, it is because the particular protocol used under the covers, which is mutual TLS (Client Certificate Authentication), requires the private key to be involved during handshake for the purposes of validating the certificate presented by a client. Here's a nice read on the handshake: https://textslashplain.com/2020/05/04/client-certificate-authentication/

    Coming back to APIM, the following blog post details how APIM uses certificates and where they are used in a simpler, organized manner: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/using-certificates-in-azure-api-management/ba-p/2888447

    Upon examining the blog, you'll find that mutual TLS is discussed for the "Client certificate to secure access to the APIs for Self-hosted Gateway" scenario which is what you're in the process of implementing. As you may already have reviewed, the official doc on exact steps are here: Secure backend services using client certificate authentication in Azure API Management

    For different certificate-related scenarios where you need to supply pfx, you may generate the pfx without the private key. The following Stackoverflow post may be helpful in generating one: How to create .pfx file containing only one of private/public key

    I hope this is still helpful, please let me know if any further questions on this topic.

    0 comments No comments

  2. jay_p 0 Reputation points
    2023-05-09T16:25:32.7833333+00:00

    Sadly, the above answer is wrong.

    In TLS handshake, server is verifying client's request using client's public key. This is the way public key cryptography works in all places, not just TLS. In other words, there is no conceivable use case for the server to know the client's private key.

    It still is a mystery why MS requires a pfx containing both public and private key. Maybe someone else can shed a light?

    Is it possibly, though, to create a PFX containing the public key only, without the private key. I'm pretty sure that's sufficient for APIM, but haven't actually tried yet.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.