Close

Use certificates with Azure API Management

When securing webservices that are exposed to external clients, you can use basic authentication, client certificates or Azure Active Directory B2C. In an earlier post I described the use of basic authentication. In this post, I focus on the use of client certificates. We first have to add the client certificate to Azure API Management, then we can use the following inbound policies.

<choose>
   <when condition="@(context.Request.Certificate == null)">
      <return-response>
         <set-status code="401" reason="Client certificate required" />
      </return-response>
   </when>
   <when condition="@(context.Request.Certificate.Thumbprint 
                                  != "{{ thumbprint-dev}}")">
     <return-response>
        <set-status code="403" reason="Invalid client certificate" />
     </return-response>
     </when>
</choose>

First we check if a certificate is passed in the first place. Then we check if the certificate has the correct thumbprint value.

When it comes to the certificates, note that we are not using CA certificates. I think CA certificates are server certificates that can be used in a mutual SSL scenario (I’m not sure). From docs.microsoft.com I understand that you only have to use this functionality if your services require a custom CA certificate.