Critical Questions: Client Certificate Handling

[ericthomas1]

Hello,

I need more details on what Azure App Service does when it receives a request that includes a Client Certificate. The docs here state:

"App Service does not do anything with this client certificate other than forwarding it to your app."

I'm certain this is not complete information as App Service likely ensures the client requestor is in possession of the private key associated with the certificate in the request.

Does App Service perform any OCSP lookups on the cert to ensure it is valid? What about check the NotValidBefore/After dates on the cert?

Is this all up to the application code to check?

Thank you

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: eb440603-950a-c224-f6c9-222ca502d5a5
• Version Independent ID: 0b5c4944-0327-91fc-2b0b-c19a1b873b64
• Content: Configure TLS mutual authentication - Azure App Service
• Content Source: articles/app-service/app-service-web-configure-tls-mutual-auth.md
• Service: app-service
• GitHub Login: @cephalin
• Microsoft Alias: cephalin

[RyanHill-MSFT]

Thanks for the feedback! We are currently investigating and will update you shortly.

[RyanHill-MSFT]

@ericthomas1, apologies for the delayed response. I'm trying to get clarification, but I do believe there isn't any logic that is done against client certificates. The reasoning behind this is to allow customers to do any sort of validation they choose without being confined to a preset of rules.

[panchagnula]

How is this client cert being used with App Service - is the site getting uploaded as PFX or is this a certificate from AKV imported to webapp? If the cert is uploaded & used with AppService then we do some basic validation for expiration. If the certificate on AKV - then AKV team might do more detailed checks & while being imported to webapp as well we will still similar validation checks. Hope this helps.

[ericthomas1]

@RyanHill-MSFT: Thanks for the response.

• I need to know if Microsoft does any type of validation on the incoming client-cert
• Does it check whether the cert is self-signed?
• Does it check whether the cert is expired (not-valid-before/after dates)?
• Does it check whether the cert is revoked (using the OCSP URL listed on cert)?
• OR is it all up to the application code to perform these actions?

@panchagnula: RE: "How is this client cert being used with App Service...":

• Its being used to authenticate clients to the HTTP-triggered Azure Function (web service)
• I set Client certificate mode to Require
• The App Service plan is hosting the Azure Function

[RyanHill-MSFT]

Hi @ericthomas1, it's up to your application code to perform all validation requirements. App Service doesn't perform any sort of validation.

We will now proceed to close this thread. If there are further questions regarding this matter, please tag me in your reply. We will gladly continue the discussion and we will reopen the issue.

[ericthomas1]

Pointing folks to other potentials here...

• For those that want some level of ClientCert control at the endpoint hosting their API (rather than placing "it all" on the app code)
• https://docs.microsoft.com/en-us/learn/modules/control-authentication-with-apim/4-secure-access-client-certs

After a cursory glance at the APIM service:

Some Pro's:

• Appears you can set a policy to accept only requests from allowed client certs
• This would (potentially, havent' tested yet) stop unknown requests from reaching your application code
• Appears also that policies can be set to perform some client cert validation (no way to do OCSP that I can tell)

Some Con's

• If you require OCSP/CRL lookups, your app code will have to handle this.
  • Then your client cert validation code/logic is split across two worlds (APIM and app code, boo) and two formats
  • Increased complexity to some degree (YAS; yet another service; APIM to setup/config/$/etc)
• The policies are written in XML (general boo :) )