Client authentication using CA certificate chain

Use CA certificate chain in Azure Event Grid to authenticate clients while connecting to the service.

In this guide, you perform the following tasks:

  1. Upload a CA certificate, the immediate parent certificate of the client certificate, to the namespace.
  2. Configure client authentication settings.
  3. Connect a client using the client certificate signed by the previously uploaded CA certificate.


  • You need an Event Grid Namespace already created.
  • You need a CA certificate chain: Client certificates and the parent certificate (typically an intermediate certificate) that was used to sign the client certificates.

Generate sample client certificate and thumbprint

If you don't already have a certificate, you can create a sample certificate using the step CLI. Consider installing manually for Windows.

Once you installed Step, in Windows PowerShell, run the command to create root and intermediate certificates.

.\step ca init --deployment-type standalone --name MqttAppSamplesCA --dns localhost --address --provisioner MqttAppSamplesCAProvisioner

Using the CA files generated to create certificate for the client.

.\step certificate create client1-authnID client1-authnID.pem client1-authnID.key --ca .step/certs/intermediate_ca.crt --ca-key .step/secrets/intermediate_ca_key --no-password --insecure --not-after 2400h

Upload the CA certificate to the namespace

  1. In Azure portal, navigate to your Event Grid namespace.
  2. Under the MQTT broker section in left rail, navigate to CA certificates menu.
  3. Select + Certificate to launch the Upload certificate page.
  4. Add certificate name and browse to find the intermediate certificate (.step/certs/intermediate_ca.crt) and select Upload. You can upload a file of .pem, .cer, or .crt type.

Screenshot showing the added CA certificate listed in the CA certificates page.


  • CA certificate name can be 3-50 characters long.
  • CA certificate name can include alphanumeric, hyphen(-) and, no spaces.
  • The name needs to be unique per namespace.

Configure client authentication settings

  1. Navigate to the Clients page.
  2. Select + Client to add a new client. If you want to update an existing client, you can select the client name and open the Update client page.
  3. In the Create client page, add the client name, client authentication name, and the client certificate authentication validation scheme. Typically the client authentication name would be in the subject name field for the client certificate.

Screenshot showing the client metadata using the subject matches the authentication name option.

  1. Select Create button to create the client.

Sample certificate object schema

    "properties": {
        "description": "CA certificate description",
        "encodedCertificate": "-----BEGIN CERTIFICATE-----`Base64 encoded Certificate`-----END CERTIFICATE-----"

Azure CLI configuration

Use the following commands to upload/show/delete a certificate authority (CA) certificate to the service

Upload certificate authority root or intermediate certificate

az resource create --resource-type Microsoft.EventGrid/namespaces/caCertificates --id /subscriptions/`Subscription ID`/resourceGroups/`Resource Group`/providers/Microsoft.EventGrid/namespaces/`Namespace Name`/caCertificates/`CA certificate name` --api-version  --properties @./resources/ca-cert.json

Show certificate information

az resource show --id /subscriptions/`Subscription ID`/resourceGroups/`Resource Group`/providers/Microsoft.EventGrid/namespaces/`Namespace Name`/caCertificates/`CA certificate name`

Delete certificate

az resource delete --id /subscriptions/`Subscription ID`/resourceGroups/`Resource Group`/providers/Microsoft.EventGrid/namespaces/`Namespace Name`/caCertificates/`CA certificate name`

Next steps