You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/configure-custom-domain.md
+14-14Lines changed: 14 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ author: dlepow
8
8
9
9
ms.service: api-management
10
10
ms.topic: how-to
11
-
ms.date: 12/08/2021
11
+
ms.date: 12/09/2021
12
12
ms.author: danlep
13
13
---
14
14
@@ -33,7 +33,7 @@ When you create an Azure API Management service instance in the Azure cloud, Azu
33
33
34
34
- DNS records hosted on a DNS server to map the custom domain name to the default domain name of your API Management instance. This topic does not provide instructions on how to host the DNS records.
35
35
36
-
For more information about required records, see [DNS configuration](#dns-configuration), later in this article.
36
+
For more information about required records, see [DNS configuration](#dns-configuration), later in this article.
37
37
38
38
## Endpoints for custom domains
39
39
@@ -55,7 +55,7 @@ There are several API Management service endpoints to which you can assign a cus
55
55
56
56
## Domain certificate options
57
57
58
-
The following table lists the options you have for adding domain certificates in API Management:
58
+
The following table lists the options to add domain certificates in API Management:
59
59
60
60
|Option|Description|
61
61
|-|-|
@@ -76,18 +76,20 @@ If you choose to upload or import a private certificate to API Management, your
76
76
77
77
### Key vault certificate
78
78
79
-
When using [Azure Key Vault for managing certificates](../key-vault/certificates/about-certificates.md), set them to `autorenew`.
79
+
We recommend using [Azure Key Vault for managing certificates](../key-vault/certificates/about-certificates.md) and setting them to `autorenew`.
80
80
81
81
If you use Azure Key Vault to manage a custom domain TLS/SSL certificate, make sure the certificate is inserted into Key Vault [as a _certificate_](/rest/api/keyvault/createcertificate/createcertificate), not a _secret_.
82
82
83
83
To fetch a TLS/SSL certificate, API Management must have the list and get secrets permissions on the Azure Key Vault containing the certificate.
84
84
* When using the Azure portal to import the certificate, all the necessary configuration steps are completed automatically.
85
-
* When using commandline tools or management API, these permissions must be granted manually, in two steps:
85
+
* When using command-line tools or management API, these permissions must be granted manually, in two steps:
86
86
1. On the **Managed identities** page of your API Management instance, enable a system-assigned or user-assigned [managed identity](api-management-howto-use-managed-service-identity.md). Note the principal Id on that page.
87
87
1. Give the list and get secrets permissions to this principal Id on the Azure Key Vault containing the certificate.
88
88
89
89
If the certificate is set to `autorenew` and your API Management tier has an SLA (i.e., in all tiers except the Developer tier), API Management will pick up the latest version automatically, without downtime to the service.
90
90
91
+
For more information, see [Use managed identities in Azure API Management](api-management-howto-use-managed-service-identity.md).
92
+
91
93
### Managed TLS certificate
92
94
93
95
API Management offers a free, managed TLS certificate for your domain, if you don't wish to purchase and manage your own certificate. The certificate is autorenewed automatically.
@@ -120,18 +122,18 @@ Choose the steps according to the type of domain certificate you want to use.
120
122
1. Select **Add**, or select **Update** for an existing endpoint.
121
123
1. Select **Save**.
122
124
123
-
# [Key vault](#tab/key-vault)
125
+
# [Key Vault](#tab/key-vault)
124
126
125
127
1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).
126
128
1. In the left navigation, select **Custom domains**.
127
129
1. Select **+Add**, or select an existing [endpoint](#endpoints-for-custom-domains) that you want to update.
128
130
1. In the window on the right, select the **Type** of endpoint for the custom domain.
129
131
1. In the **Hostname** field, specify the name you want to use. For example, `api.contoso.com`.
130
-
1. Under **Certificate**, select **Key Vault**>**Select**.
132
+
1. Under **Certificate**, select **Key Vault**and then**Select**.
131
133
1. Select the **Subscription** from the dropdown list.
132
134
1. Select the **Key vault** from the dropdown list.
133
-
1. Once the certificates have loaded, select the **Certificate** from the dropdown list.
134
-
1.Click**Select**.
135
+
1. Once the certificates have loaded, select the **Certificate** from the dropdown list. Click **Select**.
136
+
1.In**Client identity**, select a system-assigned identity or auser-assigned [managed identity](api-management-howto-use-managed-service-identity.md) enabled in the instance to access the key vault.
135
137
1. When configuring a Gateway endpoint, select or deselect [other options as necessary](#clients-calling-with-server-name-indication-sni-header), including **Negotiate client certificate** or **Default SSL binding**.
136
138
:::image type="content" source="media/configure-custom-domain/gateway-domain-key-vault-certificate.png" alt-text="Configure gateway domain with Key Vault certificate":::
137
139
1. Select **Add**, or select **Update** for an existing endpoint.
@@ -144,12 +146,10 @@ Choose the steps according to the type of domain certificate you want to use.
144
146
1. Select **+Add**, or select an existing [endpoint](#endpoints-for-custom-domains) that you want to update.
145
147
1. In the window on the right, select the **Type** of endpoint for the custom domain.
146
148
1. In the **Hostname** field, specify the name you want to use. For example, `api.contoso.com`.
147
-
1. Under **Certificate**, select **Managed** if you want to use a free certificate managed by API Management. THe managed certificate is available in preview for the Gateway endpoint only.
148
-
149
-
The **DNS TXT record value** you must [configure in DNS](#dns-configuration) is displayed. Copy this value.
149
+
1. Under **Certificate**, select **Managed** to enable a free certificate managed by API Management. Te managed certificate is available in preview for the Gateway endpoint only.
150
+
1. Copy the **DNS TXT record value**, and use it to [configure DNS](#dns-configuration).
150
151
1. When configuring a Gateway endpoint, select or deselect [other options as necessary](#clients-calling-with-server-name-indication-sni-header), including **Negotiate client certificate** or **Default SSL binding**.
151
-
:::image type="content" source="media/configure-custom-domain/gateway-domain-free-certifcate.png" alt-text="Configure gateway domain with free certificate":::
152
-
152
+
:::image type="content" source="media/configure-custom-domain/gateway-domain-free-certifcate.png" alt-text="Configure gateway domain with free certificate":::
153
153
1. Select **Add**, or select **Update** for an existing endpoint.
0 commit comments