Use certificates with Azure API Management

When securing webservices that are exposed to external clients, you can use basic authentication, client certificates or Azure Active Directory B2C. In an earlier post I described the use of basic authentication. In this post, I focus on the use of client certificates.

We can either use the default Azure certificate and domain or we can add a custom domain to API Management. In this case we use the default certificate and indicate we want to negotiate (or verify) client certificates:

Then we can use the following inbound policies.

   <when condition="@(context.Request.Certificate == null)">
         <set-status code="401" reason="Client certificate required" />
   <when condition="@(context.Request.Certificate.Thumbprint 
                                  != "{{ thumbprint-dev}}")">
        <set-status code="403" reason="Invalid client certificate" />

First we check if a certificate is passed in the first place. Then we check if the certificate has the correct thumbprint value.

When it comes to the certificates, note that we are not using CA certificates. I think CA certificates are server certificates that can be used in a mutual SSL scenario (I’m not sure). From I understand that you only have to use this functionality if your services require a custom CA certificate.

Apart from securing API Management services via certificates, we can also secure backend services using certificates. First we will have to upload a certificate via menu Security/Certificates. Next we can go to the Design surface of our service, go to the Backend section and specify we want to use a client certificate to authenticate API Management with the backend service.