I need to call some API of an application from some other application using certificate authentication.
I can access local application certificate using StoreName=My;StoreLocation=LocalMachine;FindType=FindByThumbprint;FindValue=83D2CEE781FC8D7E6C5372433CBACA75F9BC4B34
But I am not able to access the certificate of application which is hosted in Azure.
Can you please suggest how to access certificate parameters from Azure like StoreName and StoreLocation from my local application?
Can you elaborate what you mean with hosted in Azure? App Services, Container, AKS, VM, etc?
For App Services there is an option you might want to give a shot:
https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code#load-certificate-in-windows-apps
You can also store certificates in KeyVault and access those securely - but this would require code changes. Example for secrets, but works similar for certificates
If you want 100% the same way it works currently, you will need to stick with VMs.
Related
I am using Azure App Service to access a webservice hosted elsewhere. The webservice requires mutual TLS Authentication.
I have been given the public certificate from the provider of the webservice but where do I install this public certificate in Azure? In a traditional server environment, I would install in the certificate store. But in Azure, do I install it on the application gateway? or the Vault? How does Azure app service know where the certificate is installed and present it?
Private and Public certificates can be uploaded to Azure Web App: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate?tabs=apex%2Cportal
Code running in Azure Web App can access those certificates in different ways, it depends on what language and runtime your application is using: https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-certificate-in-code
In regards to your other questions:
"do I install it on the application gateway"?
From what I understand, your application is going to make outgoing calls to a webservice hosted elsewhere. Azure Web App outgoing traffic does not go through Application Gateway - so no, in your case storing certificate in Azure Web App and accessing it from the code is a good solution.
"or the Vault"? Azure Web App can also store certificates in Azure Key Vault. Your code could also connect to Azure Key Vault directly, bypassing Azure Web App key store altogether.
Finally, "How does Azure app service know where the certificate is installed and present it?" Please see the first two links I provided.
In the future, Azure has an excellent documentation on all of their products, a simple search engine search typically helps to narrow down many primitive answers.
Welcome to StackOverflow!
I have a console application that is going to be deployed on an On-Premises Server (Not an Azure-hosted one). Can I make use of Managed Identities to retrieve a secret from my azure key vault? Is it possible... please guide me here.
No, you cannot use Managed Identity (both system assigned and user assigned) outside of Azure. They can only be used with resources running in Azure.
What you would need to do is connect to your Key Vault using a Service Principal (using client id and client secret or certificate) and retrieve secrets that way.
I have been looking at various tutorials demoing how identity management works as well as API management in azure but I am not seeing an answer to my questions. I understand that managed identities can be used to authorize azure resource to resource communication but I am not seeing how this is done for a web application. Say for example I have an angular website being hosted on an nginx server in an AKS cluster. I understand that I could use Identity management to create Identity resources that make it so that the AKS and APIM are authorized to connect with one another but how would I do this for the angular running application? This application is running in the client's browser, so it seems like this identity management mechanism would not work. How does one secure an APIM so only a given web application can interact with it?
You could secure your API in APIM with the client certificate, then when the app access the API, validate the incoming certificate and check certificate properties against desired values using policy expressions.
For more details, see How to secure APIs using client certificate authentication in API Management.
Can we use Service Management API to create/update/Delete Resource with XAMPP Localhost? They seek Certificates .cer and .pfx. I have uplaoded under Azure panel and unser my service -> SSL Settings.
When I am trying to make a connection from my local machine for Service API it still giving me exception Certificate not found. I am using PHP SDK for Azure. [package : "microsoft/windowsazure": "^0.5"]
can someone please guide me how to make conneciton from local and what if I want to make it in production?
Was using wrong format of certificates, it needs .pem file absolute path. .cer must have to be imported under your Subscription Management certificates in Azure portal
During the development, we didn't get the domain binding for our application, so we just use the Azure URL, something like this: xxx.cloudapp.net.
Because we would like our website use HTTPS protocol, we need to use a certificate, just follow the MSDN, we generated the self-signed pfx file using IIS Manager. Before we publish our application to cloud, we upload the pfx file to cloud by the portal page.
So my question is, is above the only way for this situation? Which I means, I need to upload the certificate to cloud manually first, then publish the application? Is there a way I don't need to to this, something like I even not rely on IIS Manager, the cloud can generate a certificate?
Simple answer to your question is No, Azure can't create a certificate for you. But you could do the same.
To elaborate further, let me explain you what's happening behind the scenes. So you have uploaded the PFX certificate in the portal and in your application configuration screen you have specified the thuumbprint of that certificate. When Azure Fabric Controller spins of the VM, it checks for this certificate thumbprint and based on that it fetches the certificate you uploaded previously and installs that certificate. Furthermore it makes changes to the IIS settings does the SSL magic. Now if you want (not sure why) but you could do the same. If we take just development environment, what you could do is write a startup task which would first create a certificate using makecert utility. Then you would write some IIS scripts which will do the SSL magic for IIS.
Yet another thing you could do is automate the deployment of your code using Azure PowerShell Cmdlets. As a part of deployment automation, 1st thing you would do is upload the SSL certificate using Add-AzureCertificate and then create a deployment of your service using New-AzureDeployment.