Home > OS >  Azure APIM with certificate authentication error using .pfx certificate
Azure APIM with certificate authentication error using .pfx certificate

Time:05-26

Helle, everyone.

I am experiencing issue with configuring APIm operation with InBound policy, which handled calls to remote endpoint. I have saved certificate which was provided to me by external service and using thumbprint in policie. Remote endpoint validates requests using certificate.

<policies>
<inbound>
    <base />
    <send-request mode="new" response-variable-name="result" timeout="300" ignore-error="false">
        <set-url>https://ip:port/path</set-url>
        <set-method>POST</set-method>
        <set-header name="Accept" exists-action="override">
            <value>*/*</value>
        </set-header>
        <set-header name="Content-Type" exists-action="override">
            <value>application/xml</value>
        </set-header>
        <set-body>@(context.Request.Body.As<string>())</set-body>
        <authentication-certificate thumbprint="thubprint" password="password" />
    </send-request>
    <return-response response-variable-name="result" />
</inbound>
<backend>
    <base />
</backend>
<outbound>
    <base />
</outbound>
<on-error>
    <base />
</on-error>

But as a response I am getting 500 error

send-request (259.918 ms)
{
    "messages": [
        "Error occured while calling backend service.",
        "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.",
        "The remote certificate is invalid according to the validation procedure."
    ]
}

Thanks beforehands. Would appreciate any help.

CodePudding user response:

As discussed in the comments, adding gist as a community wiki answer to help community members who might face a similar issue.

But as a response I am getting 500 error

  • If you are using self-signed certificates, you will need to disable certificate chain validation for API Management to communicate with the backend system. Otherwise, it will return a 500 error code.
$context = New-AzApiManagementContext -resourcegroup 'ContosoResourceGroup' -servicename 'ContosoAPIMService'

New-AzApiManagementBackend -Context  $context -Url 'https://contoso.com/myapi' -Protocol http -SkipCertificateChainValidation $true

Note: As of now disabling certificate chain validation is only possible for backend policy.

You can refer to Azure API Management - Validate incoming client certificate and Send cert to backend, Is disabling Validate certificate chain safe? and Protect your APIs with Azure API Management

  • Related