You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/application-gateway/mutual-authentication-overview.md
+9-6Lines changed: 9 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,14 +11,14 @@ ms.author: caya
11
11
---
12
12
# Overview of mutual authentication with Application Gateway
13
13
14
-
Mutual authentication, or client authentication, allows for the Application Gateway to authenticate the client sending requests. Usually only the client is authenticating the Application Gateway; mutual authentication allows for both the client and the Application Gateway to authenticate each other.
14
+
Mutual authentication, or client authentication, allows for the Application Gateway to authenticate the client sending requests. Usually, only the client is authenticating the Application Gateway; mutual authentication allows for both the client and the Application Gateway to authenticate each other.
15
15
16
16
> [!NOTE]
17
17
> We recommend using TLS 1.2 with mutual authentication as TLS 1.2 will be mandated in the future.
18
18
19
19
## Mutual authentication
20
20
21
-
Application Gateway supports certificatebased mutual authentication where you can upload a trusted client CA certificate(s) to the Application Gateway and the gateway will use that certificate to authenticate the client sending a request to the gateway. With the rise in IoT use cases and increased security requirements across industries, mutual authentication provides a way for you to manage and control which clients can talk to your Application Gateway.
21
+
Application Gateway supports certificate-based mutual authentication where you can upload a trusted client CA certificate(s) to the Application Gateway, and the gateway will use that certificate to authenticate the client sending a request to the gateway. With the rise in IoT use cases and increased security requirements across industries, mutual authentication provides a way for you to manage and control which clients can talk to your Application Gateway.
22
22
23
23
To configure mutual authentication, a trusted client CA certificate is required to be uploaded as part of the client authentication portion of an SSL profile. The SSL profile will then need to be associated to a listener in order to complete configuration of mutual authentication. There must always be a root CA certificate in the client certificate that you upload. You can upload a certificate chain as well, but the chain must include a root CA certificate in addition to as many intermediate CA certificates as you'd like.
24
24
@@ -33,23 +33,26 @@ If you're uploading a certificate chain with root CA and intermediate CA certifi
33
33
34
34
Application Gateway supports the following types of certificates:
35
35
36
-
- CA (Certificate Authority) certificate: A CA certificate is a digital certificate issued by a certificate authority (CA)
37
-
- Self-signed CA certificates: Client browsers do not trust these certificates and will warn the user that the virtual service’s certificate is not part of a trust chain. Self-signed CA certificates are good for testing or environments where administrators control the clients and can safely bypass the browser’s security alerts. Production workloads should never use self-signed CA certificates.
36
+
- CA (Certificate Authority) certificate: A CA certificate is a digital certificate issued by a certificate authority (CA).
37
+
- Self-signed CA certificates: Client browsers do not trust these certificates and will warn the user that the virtual service's certificate is not part of a trust chain. Self-signed CA certificates are good for testing or in environments where administrators control the clients and can safely bypass the browser's security alerts.
38
+
39
+
> [!IMPORTANT]
40
+
> Production workloads should never use self-signed CA certificates.
38
41
39
42
For more information on how to set up mutual authentication, see [configure mutual authentication with Application Gateway](./mutual-authentication-portal.md).
40
43
41
44
> [!IMPORTANT]
42
45
> Make sure you upload the entire trusted client CA certificate chain to the Application Gateway when using mutual authentication.
43
46
44
-
Each SSL profile can support up to 5 trusted client CA certificate chains.
47
+
Each SSL profile can support up to five trusted client CA certificate chains.
45
48
46
49
## Additional client authentication validation
47
50
48
51
### Verify client certificate DN
49
52
50
53
You have the option to verify the client certificate's immediate issuer and only allow the Application Gateway to trust that issuer. This options is off by default but you can enable this through Portal, PowerShell, or Azure CLI.
51
54
52
-
If you choose to enable the Application Gateway to verify the client certificate's immediate issuer, here's how to determine what the client certificate issuer DN will be extracted from the certificates uploaded.
55
+
If you choose to enable the Application Gateway to verify the client certificate's immediate issuer, here's how to determine what client certificate issuer DN will be extracted from the certificates uploaded.
0 commit comments