I am working on setting up an API Management service on Azure. My question is related to setting up the SSL certificate that was generated using Azure Key Vault.

My certificate was created with the CNAME as *.contoso.com. My custom domain in the API Management service is api.contoso.com. Now, when I'm setting up my custom domain, there is a field to select the certificate from Key Vault which I have already done. Now when I import the API using OpenAPI spec and go to Settings; there is also an option to select a Client cert under the Gateway credentials heading (see screenshot attached).

My question is, what is the difference between these two? If I have already provided a certificate when setting up the custom domain, do I need to add the certificate to the API as well?

Just a piece of extra information. My plan is to import two APIs and set them up at https://api.contoso.com/app1 and https://api.contoso.com/app2

CodePudding user response：

The backend gateway credentials are for authenticating the API Management instance ("gateway") to the backend service, that doesn't know it's being called by a gateway. It's there on the assumption that you can't always pass through a valid set of credentials from the client since one of API Management's roles is to work as an adapter for services not necessarily designed to be called by clients on the internet.

You've already worked out what the custom domain certificate is for; this is so that the API Management instance can negotiate TLS on the frontend with a certificate whose subject matches the hostname the caller connected with.