You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/application-gateway/mutual-authentication-overview.md
+13-15Lines changed: 13 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: This article is an overview of mutual authentication on Application
4
4
services: application-gateway
5
5
author: greg-lindsay
6
6
ms.service: application-gateway
7
-
ms.date: 03/30/2021
7
+
ms.date: 11/03/2022
8
8
ms.topic: conceptual
9
9
ms.author: greglin
10
10
@@ -24,33 +24,31 @@ To configure mutual authentication, a trusted client CA certificate is required
24
24
25
25
For example, if your client certificate contains a root CA certificate, multiple intermediate CA certificates, and a leaf certificate, make sure that the root CA certificate and all the intermediate CA certificates are uploaded onto Application Gateway in one file. For more information on how to extract a trusted client CA certificate, see [how to extract trusted client CA certificates](./mutual-authentication-certificate-management.md).
26
26
27
-
If you're uploading a certificate chain with root CA and intermediate CA certificates, the certificate chain must be uploaded as a PEM or CER file to the gateway.
27
+
If you're uploading a certificate chain with root CA and intermediate CA certificates, the certificate chain must be uploaded as a PEM or CER file to the gateway.
28
+
29
+
> [!IMPORTANT]
30
+
> Make sure you upload the entire trusted client CA certificate chain to the Application Gateway when using mutual authentication.
31
+
32
+
Each SSL profile can support up to five trusted client CA certificate chains.
28
33
29
34
> [!NOTE]
30
35
> Mutual authentication is only available on Standard_v2 and WAF_v2 SKUs.
31
36
32
37
### Certificates supported for mutual authentication
33
38
34
-
Application Gateway supports the following types of certificates:
35
-
36
-
- CA (Certificate Authority) certificate: A CA certificate is a digital certificate issued by a certificate authority (CA).
37
-
- Self-signed CA certificates: Client browsers do not trust these certificates and will warn the user that the virtual service's certificate is not part of a trust chain. Self-signed CA certificates are good for testing or in environments where administrators control the clients and can safely bypass the browser's security alerts.
39
+
Application Gateway supports certificates issued from both public and privately established certificate authorities.
38
40
39
-
> [!IMPORTANT]
40
-
> Production workloads should never use self-signed CA certificates.
41
+
- CA certificates issued from well-known certificate authorities: Intermediate and root certificates are commonly found in trusted certificate stores and enable trusted connections with little to no additional configuration on the device.
42
+
- CA certificates issued from organization established certificate authorities: These certificates are typically issued privately via your organization and not trusted by other entities. Intermediate and root certificates must be imported in to trusted certificate stores for clients to establish chain trust.
41
43
42
-
For more information on how to set up mutual authentication, see [configure mutual authentication with Application Gateway](./mutual-authentication-portal.md).
43
-
44
-
> [!IMPORTANT]
45
-
> Make sure you upload the entire trusted client CA certificate chain to the Application Gateway when using mutual authentication.
46
-
47
-
Each SSL profile can support up to five trusted client CA certificate chains.
44
+
> [!NOTE]
45
+
> When issuing client certificates from well established certificate authorities, consider working with the certificate authority to see if an intermediate certificate can be issued for your organization to prevent inadvertent cross-organizational client certificate authentication.
48
46
49
47
## Additional client authentication validation
50
48
51
49
### Verify client certificate DN
52
50
53
-
You have the option to verify the client certificate's immediate issuer and only allow the Application Gateway to trust that issuer. This options is off by default but you can enable this through Portal, PowerShell, or Azure CLI.
51
+
You have the option to verify the client certificate's immediate issuer and only allow the Application Gateway to trust that issuer. This option is off by default but you can enable this through Portal, PowerShell, or Azure CLI.
54
52
55
53
If you choose to enable the Application Gateway to verify the client certificate's immediate issuer, here's how to determine what client certificate issuer DN will be extracted from the certificates uploaded.
0 commit comments