Created a self signed certificate in Azure KeyVault as below with DNS
Azure KeyVault Certificate
Have added the certificate to Azure Kubernetes Service as a secret using secret-store-csi-driver and added to ingress
Problem is while opening the DNS in browser it shows certificate is not valid as below
Certificate Not valid
The Certificate is already added to Trusted store and shows as below
Certificate Details
Certificate Details
Also, the certificate in browser is the one in Azure Keyvault certificate as evident from the validity date
What could be the issue?
When you use self sign a certificate, your Operating System or Browser wont trust this Cert, as it is self signed and considered insecure for the Internet.
You need to use a Cert from a valid Certification Authority or import your CA root cert that created the cert into your OS or Browser. But every user need to so this.
A better approach is Cert-Manager ff you are using AKS. Cert-Manager can issue certificates from LetsEncrypt. Here is a workflow from Microsoft for this.
Related
I am trying to validate a client certificate in Azure API management using context.Request.Certificate.Verify() method.
I have tried the following steps:
I have created self signed root CA certificate and then created a
client certificate and key file.
Now from postman, I am trying to call a method attaching the client certificate. I have verified that the certificate is sent to APIM via trace.
Have uploaded the root CA certificate in APIM -> CA certificates. While uploading I
converted to ".cer" file as it is not accepting ".crt" file and set the Store as "Trusted root".
In APIM policy, have used the method to validate the client certificate via context.Request.Certificate.Verify().
Now, when I try to call APIM api with client certificate, the above method (step 4) is always coming as False, verified from apim trace. Not sure, what and where I am doing wrong things. Any help/guidance or any article is really helpful.
I faced the similar issues, Investigation Summary / Cause are below:
Later customer encountered issue again when they sent PFX certificate as a client certificate to APIM from Postman.
The self signed certificate CRL distribution list (Urls in certificate revocation lists) and Access information cannot be publicly reached (APIM is public hosted and not internal) hence certificate.verify fails
2 options to fix the issue
Purchase a certificate from a Public trusted CA
Use context.Request.Certificate.VerifyNoRevocation instead of context.Request.Certificate.Verify so that APIM will not check the revocation list during certificate.verify
Note:
If certificate.verify is a mandatory order from your security team, then you would have to purchase a certificate from trusted CA
o you need to VerifyNoRevocation since apim cannot retrieve revocation list information and VerifyNoRevocation will still perform verifying certificate path as well
For client certificate validation in Azure API management generally following steps are required.
Generate a root CA , intermediate CA along with the client certificates.
Upload the intermediate certificate which validate client certificates sent by the user.
You van utilize this guide to set up the CA.
I have to take my Root CA from Azure key vault inside the Azure APIM inbound policy and verify my requested client certificate inside the policy.
For this I have followed the link and able to get the certificate
https://github.com/galiniliev/api-management-policy-snippets/blob/galin/AkvCert/examples/Look%20up%20Key%20Vault%20certificate%20using%20Managed%20Service%20Identity%20and%20call%20backend.policy.xml
But I am not able to validate the client certificate by using My Root CA that I have fetched from Azure key vault
Following is the values of Root CA that I am getting from Azure key vault
{"id":"https://newdev-keyvault.vault.azure.net/certificates/MyRootCA/bf34888e**********","kid":"https://newdev-keyvault.vault.azure.net/keys/MyRootCA/bf34888e*************","sid":"https://newdev-keyvault.vault.azure.net/secrets/MyRootCA/bf34888**************","x5t":"gYbnPUooh4D5_ogrmWCEvfDjYXo","cer":"MIIDFTCCAf2gAwIBAgIUJYAgKiqYPh+Iq1DFULomUlhzNTAwDQYJKoZIhvcNAQELBQAwGjELMAkGA1UEBhMCSW4xCzAJBgNVBAoMAlwuMB4XDTIwMDQxNjA4MTgyOFoXDTMwMDQxNDA4MTgyOFowGjELMAkGA1UEBhMCSW4xCzAJBgNVBAoMAlwuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs2EOpy+GxPFCidiW5hGPVlPXuZFfgJdZWITLkUQ2SvcuBfLSsKmPkSpYO7TAFESpBWD0z8y3BYat0hGA2iBhMWzXN0dhbB+bZ6uDdrg0kuGaFmb4fmQ9mydM7cy3NtZA6lf5uTp9RZV4wiUVyKrRgGRzKUxecnFmtCOyk+jeW/Jf38laN1l84eM47UaMJjWD9vg/3QsW3yH+8zst2gWfXN7giQFRCMnzYTRD0VOd3N+C3k2mx72d4DobwbsngIclDHK0BFUckdK8MaOVIixRRQjFTZ/XjRqhPOCZRbgHHldXfx352eYqzOfYOi/utv8s6Xwl/0TI3uj2RTth7CwJkQIDAQABo1MwUTAdBgNVHQ4EFgQUZZMEGpRcswKq23a52gqebZcnloAwHwYDVR0jBBgwFoAUZZMEGpRcswKq23a52gqebZcnloAwDwYDVR0TAQH/BAUwAwEB","attributes":{"enabled":true,"nbf":1587025108,"exp":1902385108,"created":1587036499,"updated":1587036499,"recoveryLevel":"Recoverable+Purgeable"}}
Can anyone help me to verify the client certificates inside the Inbound policy?
Certificate you obtain dynamically from AKV cannot be used at the moment to validate client certificate from request. The only way is to upload CA certificate to APIM and then call .Validate on request certificate. That will require you to export certificate from AKV and refresh it in APIM every time it changes.
I have uploaded the issuer certificate in the azure key vault and now i want to send a CSR generated in my system to azure and get it signed by the Issuer certificate in the KV and return me back the signed certificate. Any idea on how to accomplish it?
I am sorry that you are not able to accomplish it. For Azure Key Vault's usage scenario, you may refer to What is Azure Key Vault?.
Just as explained in that article, for Certificate, Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
You can generate a new certificate from Public CA (DigiCert or GlobalSign).
If you want to use custom CA, you can only create a CSR, and get your certificate from that CA, and finally update your certificate to Azure Key Vault. Refer to: Create a certificate manually and get signed by a CA
How can I create a certificate chain (Self Signed) for Azure Web App? I turned on the settings in the code and Incoming client certificates.
But in the logs I see an error:
OfflineRevocation The revocation function was unable to check revocation because the revocation server was offline
Certificate was not authenticated. Failure message: Client certificate failed validation.
You may use the New-SelfSignedCertificate command from Powershell to create a new self-signed certificate for testing purposes. For example:
PS C:\> New-SelfSignedCertificate -DnsName "www.fabrikam.com", "www.contoso.com" -CertStoreLocation "cert:\LocalMachine\My"
This creates a self-signed SSL server certificate in the computer MY store with the subject alternative name set to www.fabrikam.com, www.contoso.com and Subject and Issuer name set to www.fabrikam.com.
Once you have the cert, you may upload it to your App service. Check this post on MSDN for more details on the working solution. However, do note that you might still see some certificate validation errors if the cert is self-signed. Consider using a free App Service Managed Certificate or the App Service certificate as they already satisfy the prerequisites of App Service.
Hope this helps.
References:
Add an SSL certificate in Azure App Service
Secure a custom domain
I am trying to create wildcard let's encrypt SSL certificate in Kubernetes. I tried the the ACME-DNS DNS01 challenge and it not creating the SSL certificates.
Error preparing issuer for certificate default/wildcard-test-tk: ACME server does not allow selected challenge type or no provider is configured for domain "domtest.tk"
I have referred this link and used this acme-dns for creating credentials to verify the domain authority.