Use Azure Key Vault-managed client certificates in Azure API Management
A while ago we enabled the use of Azure Key Vault-managed SSL certificates for custom domain names in API Management. We are working to expand this feature to certificates used for mutual certificate authentication between the gateway and a backend.
Peter Speden commented
In case anyone is interested, MS Support recently pointed me at https://docs.microsoft.com/en-us/rest/api/apimanagement/2020-06-01-preview/certificate/createorupdate#apimanagementcreatecertificatewithkeyvault to allow APIM to secure backend calls with a KeyVault certificate.
The theory suggested by MS Support is that the solution that works as presented by Eugen and Galin does a lot of string based processing, which may introduce occasional delays in processing the policy. Either retrieval via the KeyVault, or the required string processing.
Paco de la Cruz commented
This is already supported as described here,
Please update the status
Eugen Daroczy commented
This works now, I was able to use this example to extract a certificate from a Key Vault in order to use for authentication with the backend:
Rune Synnevåg commented
Any updates Microsoft?
Galin Iliev commented
Please take a look at this sample on how to pull certificate from Key Vault and use it in policy. Note that Managed identity is prerequisite for it (both user and system assigned are supported)
Aswini Parida commented
I understand there is no support of pulling certificates from Key vault and loading those to Client Certificates.
It would be better if we can have the functionality to pull certificates from secured KeyVault and upload those to the client certificates.
This way we can also manage the client certificates on Azure rather than keeping the certificates somewhere else and every time upload those certificates in case of restoring or creating Azure API Management
I have a client cert uploaded to certs in the key vault. I have an ARM template to create an APIM, but it will not deploy because I'm trying to create it with the client cert from the key vault. Is this going to be possible? If so, can someone post an example of the APIM ARM template?
IS this feature available now ?
fast is under stating her. back ups quicker then langer