Is it possible to have a custom B2C policy call a REST API that uses a self-signed cert?
Currently, using the Web.TPEngine.Providers.RestfulProviderRestfulProvider to call a HTTPS REST API that uses a self-signed cert, I get the following errors in the Application Insight logs...
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.
Is there a metadata item I can use to have it ignore TLS verification?
If not, how to I add my cert to a B2C trust store?
Related
I am working on setting up an API Management service on Azure. My question is related to setting up the SSL certificate that was generated using Azure Key Vault.
My certificate was created with the CNAME as *.contoso.com. My custom domain in the API Management service is api.contoso.com. Now, when I'm setting up my custom domain, there is a field to select the certificate from Key Vault which I have already done. Now when I import the API using OpenAPI spec and go to Settings; there is also an option to select a Client cert under the Gateway credentials heading (see screenshot attached).
My question is, what is the difference between these two? If I have already provided a certificate when setting up the custom domain, do I need to add the certificate to the API as well?
Just a piece of extra information. My plan is to import two APIs and set them up at https://api.contoso.com/app1 and https://api.contoso.com/app2
The backend gateway credentials are for authenticating the API Management instance ("gateway") to the backend service, that doesn't know it's being called by a gateway. It's there on the assumption that you can't always pass through a valid set of credentials from the client since one of API Management's roles is to work as an adapter for services not necessarily designed to be called by clients on the internet.
You've already worked out what the custom domain certificate is for; this is so that the API Management instance can negotiate TLS on the frontend with a certificate whose subject matches the hostname the caller connected with.
I am trying to validate a client certificate in Azure API management using context.Request.Certificate.Verify() method.
I have tried the following steps:
I have created self signed root CA certificate and then created a
client certificate and key file.
Now from postman, I am trying to call a method attaching the client certificate. I have verified that the certificate is sent to APIM via trace.
Have uploaded the root CA certificate in APIM -> CA certificates. While uploading I
converted to ".cer" file as it is not accepting ".crt" file and set the Store as "Trusted root".
In APIM policy, have used the method to validate the client certificate via context.Request.Certificate.Verify().
Now, when I try to call APIM api with client certificate, the above method (step 4) is always coming as False, verified from apim trace. Not sure, what and where I am doing wrong things. Any help/guidance or any article is really helpful.
I faced the similar issues, Investigation Summary / Cause are below:
Later customer encountered issue again when they sent PFX certificate as a client certificate to APIM from Postman.
The self signed certificate CRL distribution list (Urls in certificate revocation lists) and Access information cannot be publicly reached (APIM is public hosted and not internal) hence certificate.verify fails
2 options to fix the issue
Purchase a certificate from a Public trusted CA
Use context.Request.Certificate.VerifyNoRevocation instead of context.Request.Certificate.Verify so that APIM will not check the revocation list during certificate.verify
Note:
If certificate.verify is a mandatory order from your security team, then you would have to purchase a certificate from trusted CA
o you need to VerifyNoRevocation since apim cannot retrieve revocation list information and VerifyNoRevocation will still perform verifying certificate path as well
For client certificate validation in Azure API management generally following steps are required.
Generate a root CA , intermediate CA along with the client certificates.
Upload the intermediate certificate which validate client certificates sent by the user.
You van utilize this guide to set up the CA.
I am getting error (Could not establish secure channel for SSL/TLS with authority 'www.docusign.net'.) when we are calling login web method of this web service (i.e. https://www.docusign.net/api/3.0/credential.asmx)
There's a few things this could be. I'd recommend checking the following first:
TLS 1.0 is not supported - you'll need to confirm your application is using TLS 1.1 or 1.2
Your application may not trust the DocuSign certificate chain. From the DocuSign Trust Site's Certificate list, the DigiCert root CA (969 bytes): Root CA for Demo/NA1/NA2/NA3/EU SSL certificates must be accepted.
Networking issues: Your firewall may be altering or blocking the connection to DocuSign. Can you make a successful SOAP Ping?
I was facing the same problem.
You just need to paste this code on the top of that code that was throwing this exception.
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;
And don't forget to add the namespace
using System.Net;
I have a Logic App that calls a REST API via HTTPS.
The REST API is protected by a custom SSL certificat provided by a custom authority.
When I call it from the Logic App, I get a TrustFailure error, which is a normal situation.
But is it possible to add somewhere in Azure the trust chain in order to bypass this error?
It was confirmed by Microsoft that it is not possible to add my own authority certificates in the list of trusted authorities.
I have a cloud service and an Azure APIM instance with a self signed client cert setup on them (the cert has intended purposes of server auth and client auth).
Each API within the APIM has the client cert setup on its security. However, when I perform the call the following comes back in the trace.
"messages":["Error occured while calling backend service.","The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.","The remote certificate is invalid according to the validation procedure."
Is there anything I am missing here, searching online and cannot see anything obvious.
Yes you are correct, the option is not available in the portal to allow self-signed certificates. Here is a blogpost by Sasha Rosenbaum: http://divineops.net/enable-self-signed-certificates-in-azure-api-management-services/
Here basically you are skipping the certificate verification using "skipCertificateChainValidation" attribute.
You can create a backend entity through power shell scripts to skipcertifioc