add include to reuse content for client certs article

Author: dlepow

articles/api-management/api-management-howto-mutual-certificates-for-clients.md

@@ -5,12 +5,8 @@ description: Learn how to secure access to APIs by using client certificates. Yo
 services: api-management
 documentationcenter: ''
 author: dlepow
-manager: erikre
-editor: ''
 
 ms.service: api-management
-ms.workload: mobile
-ms.tgt_pltfrm: na
 ms.topic: article
 ms.date: 06/01/2021
 ms.author: danlep
@@ -24,14 +20,36 @@ For information about securing access to the back-end service of an API using cl
 
 For a conceptual overview of API authorization, see [Authentication and authorization in API Management](authentication-authorization-overview.md#gateway-data-plane). 
 
+## Certificate options
+
+If you choose to use API Management to manage client certificates, you have the following options:
+
+* Reference a certificate managed in [Azure Key Vault](../key-vault/general/overview.md) 
+* Add a certificate file directly in API Management
+
+Using key vault certificates is recommended because it helps improve API Management security:
+
+* Certificates stored in key vaults can be reused across services
+* Granular [access policies](../key-vault/general/security-features.md#privileged-access) can be applied to certificates stored in key vaults
+* Certificates updated in the key vault are automatically rotated in API Management. After update in the key vault, a certificate in API Management is updated within 4 hours. You can also manually refresh the certificate using the Azure portal or via the management REST API.
+
+## Prerequisites
+
+* If you have not created an API Management service instance yet, see [Create an API Management service instance][Create an API Management service instance].
+* You need access to the certificate and the password for management in an Azure key vault or upload to the API Management service. The certificate must be in **PFX** format. Self-signed certificates are allowed.
+
+[!INCLUDE [api-management-client-certificate-key-vault](../../includes/api-management-client-certificate-key-vault.md)]
+
+
+## Enable API Management instance to negotiate client certificates
 
 > [!IMPORTANT]
-> To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers you must turn on the "Negotiate client certificate" setting on the "Custom domains" blade as shown below.
+> To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers you must enable the **Negotiate client certificate** setting on the **Custom domain** blade as shown below.
 
 ![Negotiate client certificate](./media/api-management-howto-mutual-certificates-for-clients/negotiate-client-certificate.png)
 
 > [!IMPORTANT]
-> To receive and verify client certificates in the Consumption tier you must turn on the "Request client certificate" setting on the "Custom domains" blade as shown below.
+> To receive and verify client certificates in the Consumption tier, you must enable the **Request client certificate** setting on the **Custom domains** blade as shown below.
 
 ![Request client certificate](./media/api-management-howto-mutual-certificates-for-clients/request-client-certificate.png)
 
@@ -41,8 +59,6 @@ Use the [validate-client-certificate](validate-client-certificate-policy.md) pol
 
 Configure the policy to validate one or more attributes including certificate issuer, subject, thumbprint, whether the certificate is validated against online revocation list, and others.
 
-For more information, see [API Management access restriction policies](api-management-access-restriction-policies.md).
-
 ## Certificate validation with context variables
 
 You can also create policy expressions with the [`context` variable](api-management-policy-expressions.md#ContextVariables) to check client certificates. Examples in the following sections show expressions using the `context.Request.Certificate` property and other `context` properties.
@@ -66,7 +82,7 @@ Below policies can be configured to check the issuer and subject of a client cer
 ```
 
 > [!NOTE]
-> To disable checking certificate revocation list use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
 > If client certificate is self-signed, root (or intermediate) CA certificate(s) must be [uploaded](api-management-howto-ca-certificates.md) to API Management for `context.Request.Certificate.Verify()` and `context.Request.Certificate.VerifyNoRevocation()` to work.
 
 ### Checking the thumbprint
@@ -84,7 +100,7 @@ Below policies can be configured to check the thumbprint of a client certificate
 ```
 
 > [!NOTE]
-> To disable checking certificate revocation list use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
 > If client certificate is self-signed, root (or intermediate) CA certificate(s) must be [uploaded](api-management-howto-ca-certificates.md) to API Management for `context.Request.Certificate.Verify()` and `context.Request.Certificate.VerifyNoRevocation()` to work.
 
 ### Checking a thumbprint against certificates uploaded to API Management
@@ -103,7 +119,7 @@ The following example shows how to check the thumbprint of a client certificate
 ```
 
 > [!NOTE]
-> To disable checking certificate revocation list use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
 > If client certificate is self-signed, root (or intermediate) CA certificate(s) must be [uploaded](api-management-howto-ca-certificates.md) to API Management for `context.Request.Certificate.Verify()` and `context.Request.Certificate.VerifyNoRevocation()` to work.
 
 > [!TIP]

articles/api-management/api-management-howto-mutual-certificates.md

@@ -40,65 +40,7 @@ Using key vault certificates is recommended because it helps improve API Managem
 * You should have your backend service configured for client certificate authentication. To configure certificate authentication in the Azure App Service, refer to [this article][to configure certificate authentication in Azure WebSites refer to this article]. 
 * You need access to the certificate and the password for management in an Azure key vault or upload to the API Management service. The certificate must be in **PFX** format. Self-signed certificates are allowed.
 
-### Prerequisites for key vault integration
-
-1. If you don't already have a key vault, create one. For steps to create a key vault, see [Quickstart: Create a key vault using the Azure portal](../key-vault/general/quick-create-portal.md).
-
-    To create or import a certificate to the key vault, see [Quickstart: Set and retrieve a certificate from Azure Key Vault using the Azure portal](../key-vault/certificates/quick-create-portal.md).
-
-* Enable a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md) in the API Management instance.
-
-[!INCLUDE [api-management-key-vault-access](../../includes/api-management-key-vault-access.md)]
-
-[!INCLUDE [api-management-key-vault-network](../../includes/api-management-key-vault-network.md)]
-
-## Add a key vault certificate
-
-See [Prerequisites for key vault integration](#prerequisites-for-key-vault-integration).
-
-> [!IMPORTANT]
-> When adding a key vault certificate to your API Management instance, you must have permissions to list secrets from the key vault.
-
-> [!CAUTION]
-> When using a key vault certificate in API Management, be careful not to delete the certificate, key vault, or managed identity used to access the key vault.
-
-To add a key vault certificate to API Management:
-
-1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
-1. Under **Security**, select **Certificates**.
-1. Select **Certificates** > **+ Add**.
-1. In **Id**, enter a name of your choice.
-1. In **Certificate**, select **Key vault**.
-1. Enter the identifier of a key vault certificate, or choose **Select** to select a certificate from a key vault.
-    > [!IMPORTANT]
-    > If you enter a key vault certificate identifier yourself, ensure that it doesn't have version information. Otherwise, the certificate won't rotate automatically in API Management after an update in the key vault.
-1. In **Client identity**, select a system-assigned or an existing user-assigned managed identity. Learn how to [add or modify managed identities in your API Management service](api-management-howto-use-managed-service-identity.md).
-    > [!NOTE]
-    > The identity needs permissions to get and list certificate from the key vault. If you haven't already configured access to the key vault, API Management prompts you so it can automatically configure the identity with the necessary permissions.
-1. Select **Add**.
-
-
-
-    :::image type="content" source="media/api-management-howto-mutual-certificates/apim-client-cert-kv.png" alt-text="Add key vault certificate":::
-    
-1. Select **Save**.
-
-## Upload a certificate
-
-To upload a client certificate to API Management: 
-
-1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
-1. Under **Security**, select **Certificates**.
-1. Select **Certificates** > **+ Add**.
-1. In **Id**, enter a name of your choice.
-1. In **Certificate**, select **Custom**.
-1. Browse to select the certificate .pfx file, and enter its password.
-1. Select **Add**.
-
-    :::image type="content" source="media/api-management-howto-mutual-certificates/apim-client-cert-add.png" alt-text="Upload client certificate":::
-
-
-1. Select **Save**.
+[!INCLUDE [api-management-client-certificate-key-vault](../../includes/api-management-client-certificate-key-vault.md)]
 
 After the certificate is uploaded, it shows in the **Certificates** window. If you have many certificates, make a note of the thumbprint of the desired certificate in order to configure an API to use a client certificate for [gateway authentication](#configure-an-api-to-use-client-certificate-for-gateway-authentication).
 

includes/api-management-client-certificate-key-vault.md

@@ -0,0 +1,67 @@
+---
+author: dlepow
+ms.service: api-management
+ms.topic: include
+ms.date: 01/11/2023
+ms.author: danlep
+---
+
+### Prerequisites for key vault integration
+
+1. If you don't already have a key vault, create one. For steps to create a key vault, see [Quickstart: Create a key vault using the Azure portal](../articles/key-vault/general/quick-create-portal.md).
+
+    To create or import a certificate to the key vault, see [Quickstart: Set and retrieve a certificate from Azure Key Vault using the Azure portal](../articles/key-vault/certificates/quick-create-portal.md).
+
+* Enable a system-assigned or user-assigned [managed identity](../articles/api-management-howto-use-managed-service-identity.md) in the API Management instance.
+
+[!INCLUDE [api-management-key-vault-access](./api-management-key-vault-access.md)]
+
+[!INCLUDE [api-management-key-vault-network](./api-management-key-vault-network.md)]
+
+## Add a key vault certificate
+
+See [Prerequisites for key vault integration](#prerequisites-for-key-vault-integration).
+
+> [!IMPORTANT]
+> When adding a key vault certificate to your API Management instance, you must have permissions to list secrets from the key vault.
+
+> [!CAUTION]
+> When using a key vault certificate in API Management, be careful not to delete the certificate, key vault, or managed identity used to access the key vault.
+
+To add a key vault certificate to API Management:
+
+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
+1. Under **Security**, select **Certificates**.
+1. Select **Certificates** > **+ Add**.
+1. In **Id**, enter a name of your choice.
+1. In **Certificate**, select **Key vault**.
+1. Enter the identifier of a key vault certificate, or choose **Select** to select a certificate from a key vault.
+    > [!IMPORTANT]
+    > If you enter a key vault certificate identifier yourself, ensure that it doesn't have version information. Otherwise, the certificate won't rotate automatically in API Management after an update in the key vault.
+1. In **Client identity**, select a system-assigned or an existing user-assigned managed identity. Learn how to [add or modify managed identities in your API Management service](../articles/api-management/api-management-howto-use-managed-service-identity.md).
+    > [!NOTE]
+    > The identity needs permissions to get and list certificate from the key vault. If you haven't already configured access to the key vault, API Management prompts you so it can automatically configure the identity with the necessary permissions.
+1. Select **Add**.
+
+
+
+    :::image type="content" source="../articles/api-management/media/api-management-howto-mutual-certificates/apim-client-cert-kv.png" alt-text="Add key vault certificate":::
+    
+1. Select **Save**.
+
+## Upload a certificate
+
+To upload a client certificate to API Management: 
+
+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.
+1. Under **Security**, select **Certificates**.
+1. Select **Certificates** > **+ Add**.
+1. In **Id**, enter a name of your choice.
+1. In **Certificate**, select **Custom**.
+1. Browse to select the certificate .pfx file, and enter its password.
+1. Select **Add**.
+
+    :::image type="content" source="../articles/api-management/media/api-management-howto-mutual-certificates/apim-client-cert-add.png" alt-text="Upload client certificate":::
+
+
+1. Select **Save**.