要上载到Azure APIM的客户端证书的类型? [英] Type of Client-Cert to upload to Azure APIM?

问题描述

我有一个HTTP触发的Azure函数，前面带有Azure API管理(APIM).

I have an HTTP-triggered Azure Function fronted with Azure API Management (APIM).

• 客户端证书在Azure 功能级别设置为 Require :

• Client-certificates are set to Require at the Azure Function level:

• 并且在 APIM 级别:

我需要将客户端证书( public 客户端证书)添加到信任存储"某种形式.似乎出现了客户证书".APIM的页面等效于信任库.

I need to add client-certificates (public client-certificates) to a "Trust Store" of some sort. It appears the "Client Certificate" page of APIM is equivalent to a Trust Store.

问题是:APIM在这里寻找哪种类型的客户证书?

• 应该只是客户的公开证书，对吧?
• 我不应该将它们存储在Azure Key Vault中，因为它们不包含私钥
• 我只需要检查请求中的客户端证书是否来自受信任的源"服务器即可.阻止请求(如果它们是未知客户端)到达我的应用程序代码.

• Should just be the clients public certificate, right?
• I should not have to store these in Azure Key Vault as they do not contain private keys
• I just need to check whether the client-certificate in the request is from a "Trusted Source" to prevent requests from reaching my application code if they are unknown clients.

推荐答案

我认为此文档有一个生动的解释，说明了在Azure API中启用客户端证书身份验证.总结一下，您不必上传证书文件，因为您可以在策略中将 Thumbprint 设置为类似

I think this doc have a vivid explanation of enable client-certificate authentication in azure apim. To sum up here is that you don't have to upload the certificate file because you can set the Thumbprint in the policy with a value like

<when condition="@(context.Request.Certificate == null 
       || context.Request.Certificate.Thumbprint != "456AAB1833DF842152605DF6C2B1DB2BBA29380D"
       || context.Request.Certificate.NotAfter<DateTime.Now)">

如果您上传证书，则可以这样设置策略:

And if you upload the certificate, you can set the policy like this:

<when condition="@(context.Request.Certificate == null 
       || !context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint)
       || context.Request.Certificate.NotAfter<DateTime.Now)">

这是相关的 查看全文