I am trying to secure the client API in API Management using the client certificates.
context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint)
only checks against the certificates stored in "Certificate" directory and not against "CA Certificate"
How do I get all the certificates stored in CA Certificates and then compare against the thumbprint
There is no runtime access to that collection. The purpose of CA certificates is to make sure that SSL certificates and any certificate you call .Validate on can build and validate chain.
Related
I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I use client-certificates that have been issued by a trusted CA (that's how it works right? CAs issue client-certificates that they sign?), why would a trusted CA give me their CA certificate to be stored in AKS cluster as a secret? Do CAs just hand out their certificates out to public? Isn't that a security issue? (since I can sign client-certificates using that CA certificate)
The CA certificate .crt file doesn't contain the private key. It only contains the public key + certificate information, which is public and can't be used to sign new certificate. You can safely store the ca.crt in a Kubernetes Secret, it only required the private key for the server certificate.
I am trying to achieve the following the scenario but ending up as 403 response.
Client -> sends Cert A -> API Management -> Forwards Cert A -> Backend API (Azure Api App) -> Authenticates the certificate.
Is there is a way to configure API management to forward the incoming certificate to the backend API?
I tried various transformation policies on the incoming request but none of the options worked.
Please suggest.
This is technically not possible since client certificate's private key is never transmitted over wire. So there is no way APIM could use it to authenticate to backend. Even more so since there is no affinity between client connection and backend connection in APIM. Your best option is to send client certificate information in a custom header. You can use ser-header policy to set it at APIM level along with policy expressions to extract client certificate information from request.
With the new authentication-certificate policy (learn.microsoft.com) you may return the certificate as a byte[] coming from a separate send-request response-variable and use it as follows:
<authentication-certificate body="#(context.Variables.GetValueOrDefault<byte[]>("byteCertificate"))" password="optional-certificate-password" />
You could store the password as a secret named value or even get it from the KeyVault by using this snippet:
github.com/Azure/api-management-policy-snippets
Using Openssl, I generated my own CertificateAuthority (CA) and using this CA I generated self signed server certificate and key. This server certificate and key was used to configure Apache HTTPD proxy and Tomcat server which starts successfully and I am able to load application UI and work as expected (All functionality is fine)
Now since it is a self signed server certificate, the browser URL pane shows Certificate error / Not secure everytime. I try to import this certificate into my windows Trusted Root Certification Authorities store using chrome or IE. The certificate import is successful.
Looking at certificate in the Windows Certificate Manager (certmgr.msc) Windows says it "does not have enough information to verify this certificate". When looking at the certificate path, the only certificate that is shown is the certificate itself (with a yellow exclamation mark), and the Certificate status indicates: "The issuer of this certificate could not be found" and checking the certificate name I find that instead of the CA certificate the server certificate is imported. While I can see the certificate on certmgr.msc , but on the browser the imported certificate does not even show under Trusted Root Certification Authorities. The Common Name (CN), SubjectAlternativeName (SAN) etc are all present as expected as I know they are important.
After I manually import the CA certificate (which I already have) separately from the browser, the UI loads with green padlock as expected.
I checked online for suggestions and I can see many threads exists like this0, this1, this2 this3, this4, this5 without much help. None of them have solved this import issue without any manual CA cert import.
What am I missing? With browser certificate import why is server certificate imported and not CA certificate?
What should I do to import the CA certificate directly reading from the server certificate? Should we install the CA certificate manually? If yes, then how to import this CA certificate on a remote machine when I try to access my application from outside the system (remote system browser)? kindly help.
Finally I was able to figure out how to solve this issue. Answering my own question here so that it might help anyone else facing the same issue.
Initially you generate your own CA and and server private key and then using that CA you sign the server certificate. We were using Apache Httpd proxy server and in the configuration along with SSLCertificateFile, SSLCACertificateFile needs to be set to the CA certificate. Upon loading the URL in the browser, "Certificate error" or "Not Secure" will be shown. While clicking on to importing the certificate, under Certificate details you will see CA certificate followed by server certificate. Click to save the CA certificate locally to Trusted Root Certification Authorities (save CA and NOT server certificate) so that you can install this CA (what we created) and once the CA certificate is imported successfully, the connection will be shown as secure with green padlock in the URL bar. This can be done from local or any remote machine accessing the URL.
All certificates that we newly generate and signed by this same CA will be inherently trusted thereafter.
I am trying to establish mutual X.509 certificate authentication between the MQTT client and AWS IoT.
On the X.509 Certificates and AWS IoT page, it is mentioned that one can
reference the CA root certificate in your device code when you connect to AWS IoT. For more information, see the AWS IoT Device SDKs.
However, when I look through the documentation for the Java SDK as well as the API documentation, I see no mention of how to do this. I have downloaded the CA Certificate, but I do not see where I can pass this in when setting up the AWSIoTMqttClient():
this.client = new AWSIotMqttClient(clientEndpoint, clientId, pair.keyStore, pair.keyPassword);
Could someone please point me in the right direction?
To borrow some thought on using APIm to secure webapi, are the scenarios below supported?
certificate
The intention is to secure the azure hosted webapi, my thought now is to have APIm to validate incoming calling client and check the thumbprint to be one of the certificate I configured in APIm, upon authenticated then APIm to forward the call to my webapi however using another certificate (where I am to hardcode the certificate in my webapi logic check)
IP restriction
The intention is to limit the caller IP in APIm, furthermore I can somehow configure webapi to accept the call only from APIm nowhere else (lock down)
Yes, all the scenarios are possible. Refer below links
Secure Apis with client certificate
Secure your backend with mutual certificates
Restrict caller IPs policy