1

I have an APIM with two different APIs, let's say API-1 and API-2.

I need client certificate authentication only for API-2.

I know that I have to set the Negotiate client certificate in the Custom domains of the APIM in order to request the certificate from the client (documentation) but this will request a certificate also for API-1 .

Is there a way to request client certificate only for one API without the need to have different APIM services?

andre
  • 13
  • 3

1 Answers1

1

Well, in the apim premium SKU you can use multiple custom domains for the gateway endpoint and set the negotiate client certificate on one domain and ignore it for the other, with that you can call API-1 from domain-1 and api-2 from domain-2, but keep in mind that both Apis will continue to be callable using any of the custom domains so this is inefficient and pricey solution.

The other solution is to enable the negotiate client certificate and simply let your client ignore the certificate request and as long as API-1 does not have a logic to validate the certificate, the call will not fail and will be handled as usual.

Mo Haidar
  • 3,748
  • 6
  • 37
  • 76
  • Don't need to go for premium for that. Only Consumption and Basic SKUs don't have that capability. – Vitaliy Kurokhtin Aug 27 '21 at 23:50
  • @VitaliyKurokhtin thanks for the correction, so obviously the pricing page needs to be updated as it states that standard tier does not support multiple customer domains. – Mo Haidar Aug 28 '21 at 12:42
  • The second solution is what works for me. Validation of certificate is done only in APIM policies for API-2 while API-1 just ignores it. The only minor problem is that if the client is a browser it will ask the user for a certificate and any will pass, so not really clean in my opinion. If you have custom client code or tool to make requests it will work fine without specifying any certificate. Thanks @Mohamad! – andre Aug 31 '21 at 12:36