Merge pull request #297414 from Akhilesh-microsoft/ACA/client_certificate_authorization_gh286840

[GH_286840]: Updated the article to address the issue, extended the documentation to "format the certificate gets forwarded to the app running in ACA container".

Author: denrea

articles/container-apps/client-certificate-authorization.md

@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
 ms.topic: how-to
-ms.date: 06/13/2024
+ms.date: 06/30/2025
 ms.author: cshoe
 ---
 
@@ -17,7 +17,7 @@ When client certificates are used, the TLS certificates are exchanged between th
 
 For example, you might want to require a client certificate for a container app that manages sensitive data.
 
-Container Apps accepts client certificates in the PKCS12 format are that issued by a trusted certificate authority (CA), or are self-signed.
+Container Apps accepts client certificates in the PKCS12 format when a trusted certificate authority (CA) issues them or when they're self-signed.
 
 ## Configure client certificate authorization
 
@@ -34,7 +34,7 @@ Ingress passes the client certificate to the container app if `require` or `acce
 The following ARM template example configures ingress to require a client certificate for all requests to the container app.
 
 ```json
-{ 
+{
   "properties": {
     "configuration": {
       "ingress": {
@@ -44,6 +44,63 @@ The following ARM template example configures ingress to require a client certif
   }
 }
 ```
+> [!NOTE]
+> You can set the `clientCertificateMode` directly on the ingress property. It isn't available as an explicit option in the CLI, but you can patch your app using the Azure CLI.
+
+Before you run the following commands, make sure to replace the placeholders surrounded by `<>` with your own values.
+
+Get the Azure Resource Manager (ARM) ID of your container app:
+
+```bash
+APP_ID=$(az containerapp show \
+  --name <APP_NAME> \
+  --resource-group <RESOURCE_GROUP> \
+  --query id \
+  --output tsv)
+```
+
+Patch the `clientCertificateMode` property on the app:
+
+```azurecli
+az rest \
+  --method patch \
+  --url "https://management.azure.com/$APP_ID?api-version=<API_VERSION>" \
+  --body '{
+    "properties": {
+      "configuration": {
+        "ingress": {
+          "clientCertificateMode": "require"
+        }
+      }
+    }
+  }'
+```
+
+> [!NOTE]
+> Be sure to use a valid and stable API version that supports this feature. For example, replace <API_VERSION> in the command with 2025-01-01 or another supported version.
+
+## Client certificate mode and header format
+
+The value for `clientCertificateMode` varies what you need to provide for Container Apps to manage your certificate:
+- When `require` is set, the client must provide a certificate.
+- When `accept` is set, the certificate is optional. If the client provides a certificate, it passes to the app in the `X-Forwarded-Client-Cert` header, as a semicolon-separated list. 
+
+### Example `X-Forwarded-Client-Cert` header value
+
+The following example is a sample value of the `X-Forwarded-Client-Cert` header that your app might receive:
+
+```text
+Hash=<HASH_VALUE>;Cert="-----BEGIN CERTIFICATE-----<CERTIFICATE_VALUE>";Chain="-----BEGIN CERTIFICATE-----<CERTIFICATE_VALUE>";
+```
+
+### Header field breakdown
+
+| Field   | Description                                                                | How to Use It                                                  |
+|---|---|---|
+| `Hash`  | The SHA-256 thumbprint of the client certificate.                         | Use the thumbprint to identify or validate the client certificate.              |
+| `Cert`  | The base64-encoded client certificate in PEM format (single certificate). | Parse the certificate to inspect metadata such as subject and issuer. |
+| `Chain` | One or more PEM-encoded intermediate certificates.                        | Provide the intermediate certificates when building a full trust chain for validation. |
+
 
 ## Next Steps