要上载到Azure APIM的客户端证书的类型? [英] Type of Client-Cert to upload to Azure APIM?
问题描述
我有一个HTTP触发的Azure函数,前面带有Azure API管理(APIM).
I have an HTTP-triggered Azure Function fronted with Azure API Management (APIM).
- 客户端证书在Azure 功能级别设置为
Require
:
- Client-certificates are set to
Require
at the Azure Function level:
- 并且在 APIM 级别:
我需要将客户端证书( public 客户端证书)添加到信任存储"某种形式.似乎出现了客户证书".APIM的页面等效于信任库.
I need to add client-certificates (public client-certificates) to a "Trust Store" of some sort. It appears the "Client Certificate" page of APIM is equivalent to a Trust Store.
问题是:APIM在这里寻找哪种类型的客户证书?
- 应该只是客户的公开证书,对吧?
- 我不应该将它们存储在Azure Key Vault中,因为它们不包含私钥
- 我只需要检查请求中的客户端证书是否来自受信任的源"服务器即可.阻止请求(如果它们是未知客户端)到达我的应用程序代码.
- Should just be the clients public certificate, right?
- I should not have to store these in Azure Key Vault as they do not contain private keys
- I just need to check whether the client-certificate in the request is from a "Trusted Source" to prevent requests from reaching my application code if they are unknown clients.
推荐答案
我认为此文档有一个生动的解释,说明了在Azure API中启用客户端证书身份验证.总结一下,您不必上传证书文件,因为您可以在策略中将 Thumbprint
设置为类似
I think this doc have a vivid explanation of enable client-certificate authentication in azure apim. To sum up here is that you don't have to upload the certificate file because you can set the Thumbprint
in the policy with a value like
<when condition="@(context.Request.Certificate == null
|| context.Request.Certificate.Thumbprint != "456AAB1833DF842152605DF6C2B1DB2BBA29380D"
|| context.Request.Certificate.NotAfter<DateTime.Now)">
如果您上传证书,则可以这样设置策略:
And if you upload the certificate, you can set the policy like this:
<when condition="@(context.Request.Certificate == null
|| !context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint)
|| context.Request.Certificate.NotAfter<DateTime.Now)">
这是相关的 查看全文