0

Is it possible to use the Azure KeyVault API (Azure Python SDK in this case) as a way to validate a client certificate from an HTTP request?

After reading the various Azure KeyVault Certificate docs, its unclear to me whether this is possible.

Example:

  • Client1 provides Org1 with a Client Certificate via sneakernet
  • Org1 uploads Client Cert to KeyVault
  • Org1 also uploads thier Server1 Server Cert to KeyVault
  • Later, Client1 makes an HTTPS request to Org1 Server1
    • Including the Client Cert in a header
  • Some backend code on Server1 (using the Azure Python SDK) validates Client1's certificate using KeyVault API
  • Backend code also retrieves Server1's Server Cert using KeyVault API
  • Backend code commences (using Python OpenSSL library) mutual TLS crypto handshake
SeaDude
  • 3,725
  • 6
  • 31
  • 68
  • 1
    when you say "validate a client certificate" what do you actually mean? Validating a cert means chaining to a trusted root, checking [enhanced] key usage, date validity, revocation, checking name is correct etc. None of which is performed by KV. What most people REALLY mean is all of the above AND validating the 'other end' has a private key associated with the public key in the cert. That's part of the [m]TLS protocol, and KV does not inject itself in that process. – MichaelHoward-MSFT Aug 25 '20 at 02:42
  • Thanks for the clarification @MichaelHoward-MSFT. After studying further, I see now that the validations you mention are handled by application code, not a function performed by Key Vault. – SeaDude Sep 02 '20 at 05:12
  • 1
    if you have more q's about this, let me know. KV is a bit of a mysterious magic box to many people! – MichaelHoward-MSFT Sep 04 '20 at 17:25
  • Thanks @MichaelHoward-MSFT. If you could weigh in [here](https://stackoverflow.com/questions/64289883/mtls-using-azure-function-http-trigger) with any specifics. I'd like to ensure I'm not missing anything crucial. I'll be storing the pre-shared certificates in Key Vault and retrieving them using `CertificateClient`, though this may be completely unnecessary as requestor certs are public? Maybe I just store them in Azure Table Storage instead? – SeaDude Oct 10 '20 at 04:16

0 Answers0