2

Does Azure Key Vault support storing Client Certificates for mTLS authentication?

Example:

  • I have an HTTP-triggered Azure Function (Python)
  • Has HTTPS: Yes and Client Certificates: Required enabled in the Function App
  • When user sends a request to the endpoint and passes their Client Certificate, I can read in the cert via the X-ARR-ClientCert header
  • I then want to create a KeyVaultCertificate client which will pull the client cert we have on file for said requestor and validate its properties
    • not_valid_before/after
    • issuer
    • common_name
    • ocsp_responder_url
    • etc.

enter image description here

Problem:

  • Key Vault seems to only allow the upload of server certificates, not client certs.
  • It only allows .pfx or .pem file extensions
  • If I'm not mistaken, a client cert would never be in .pfx format because it contains the private key
  • I tried to split the .pfx file into both .pem (actual certificate) and .key then upload only the .pem, but Key Vault didn't like the format.

Does Key Vault handle client certs in this manner or should I just save them as KV Secrets and avoid KV Certificates altogether?

ericOnline
  • 1,586
  • 1
  • 19
  • 54

1 Answers1

-1

If I'm not mistaken, a client cert would never be in .pfx

You are mistaken and all your assumptions are incorrect. Mutual TLS requires two sets of certificate and private key, one set for server and another for client. You cannot setup a mutual TLS with two certificates and one private key (like you describe).

Azure Key Vault perfectly supports any kind of certificate, including client and server authentication.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • Here is where I'm confused. We are expecting outside entities to pre-share their client cert with us and we'd store it in Key Vault for later comparison when they make a request. If the said outside entity has a 3rd party-issued client certificate (say from Digicert), why on earth would they send us their private key along with their client cert? – ericOnline Oct 20 '20 at 15:45
  • 1
    Ok, now I understand you. You use these certificates for identity accounting. Then Azure Key Vault is not the right solution. Key Vault is supposet to securily store keys. You must have a sort of identity database, so consider to use it to store client certs (public certs) and do mapping between certs and accounts. – Crypt32 Oct 20 '20 at 15:59
  • Thank you for the clarification and confirmation @Crypt32. I added a rough whiteboard sketch to the OP for more context. So I guess the answer is: If I really want to use Key Vault to store these public client certs, I could store them as KV Secrets and pull them in as needed. Otherwise I could just store them in any database/table storage/etc. – ericOnline Oct 20 '20 at 16:34