如何使用 Azure APIM 创建 OCSP 请求并验证响应? [英] How to create an OCSP request and validate response using Azure APIM?
问题描述
推荐 这里,我正在尝试启用 Azure API 管理 (APIM) 作为减少 HTTP 触发的 Azure 函数不需要的流量的一种方式.
这个想法是使用 APIM 作为一种手段,强制端点服务器(由 Microsoft 管理)在转发之前拒绝未知请求(那些不在 APIM信任库"中的请求(因为缺少适当的术语))到函数的应用程序代码.
在 APIM 文档,有检查客户端证书指纹、颁发者和主题的示例,但没有创建 OCSP 请求和验证响应以显示客户端证书未被撤销的示例.>
我已经在应用程序代码中处理了这个问题,但不想在 APIM 和应用程序代码之间拆分客户端证书验证逻辑.需要在 APIM 中全部处理.
如何使用 APIM xml 语法生成 OCSP 请求并解码其响应以确定证书吊销状态?
有可能吗?
Disclaimer: 我不知道也从未使用过 Azure APIM
OCSP 请求有其缺点(快速谷歌搜索结果),这可能是不允许或不实施它们的原因.
作为回报,我天真的问题是:更新信任商店"容易吗?及时.因此,在撤销证书时还更新 APIM 设置是否可行?
As recommended over here, I am toying with enabling Azure API Management (APIM) as a way to reduce unwanted traffic to an HTTP-triggered Azure Function.
The idea is to use APIM as a means to force the endpoint server (managed by Microsoft) to reject unknown requests (those not in the APIM "Trust Store" (for lack of a proper term)) before they are forwarded to the Function's application code.
In the APIM docs, there are examples of checking the client-cert thumbprint, issuer and subject, but no examples of creating an OCSP request and validating the response to show the client-cert has not been revoked.
I am already handling this in the application code, but don't want to split client-cert validation logic between APIM and the app code. Needs to be all handled in APIM.
How do I use the APIM xml syntax to generate an OCSP request and decode its response to determine cert revocation status?
Is it even possible?
Disclaimer: I have no knowledge nor ever used Azure APIM
OCSP requests have their downsides (quick google search result), which might be a reason to not allow or not to implement them.
My naive question in return would be: Is it easy for you to update the "Trust store" in a timely manner. Is it therefore feasible to also update the APIM settings when you revoke a certificate?
这篇关于如何使用 Azure APIM 创建 OCSP 请求并验证响应?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
