1

I am configuring an Azure App Gateway for mutual authentication (mTLS). This question is more generally about when and when not to use public vs internal CAs for client certificates / mutual authentication / mTLS. The use case here is allowing private API traffic from a specific client to a specific server.

The configuration of mutual authentication requires me to configure the server's SSL profile with a concatenated intermediate and root certificate to verify the client certificate during the TLS handshake. I have initially purchased a DigiCert client certificate, which means the server side receives the DigiCert intermediate and root certificate for verification. This just feels wrong for my use case.

With this setup, is this just going to accept ANY certificate from that DigCert CA chain? (which presumably is quite a number of client certificates!) My intention is to restrict access to a specific client (+ redundant/DR clients). If I look at the output from the openssl handshake when configured in this way, I can see that my server is specifying the public intermediate and root certificates that it will accept, thus giving a hint as to where someone could go buy a certificate that would work.

If I am correct, what is the appropriate method to reduce down the number of clients/certificates that the server's client authentication will accept? An Internal CA issuing the certificate, or otherwise?

ArchiDavid
  • 13
  • 2
  • I feel that your question is based on several misconceptions on how certificates and chains work, and how trust is established with certificates. It depends on your configuration what kind of certificates (singular and plural) your server trusts. Where you get your cert from and whether it's publicly trusted or a self-signed certificate does not matter. What matters is that you get a certificate fitting to the purpose and that is trusted and/or accepted by both parties. I won't go into detail, because a Q&A website isn't a good for such a big scope. – Daniel Jul 24 '22 at 13:40
  • To get to the nub of what I'm asking: with an mTLS setup at the server with a DigiCert intermediate + root as its 'trusted client CA certificate chain', is it correct to think any client that has a certificate + private key issued by that CA will be able to authenticate to this server? – ArchiDavid Jul 24 '22 at 14:03
  • Private keys are **never** issued by a CA! The public key is also not issued by a CA. The public is is sent to a CA with a signing request. – Daniel Jul 24 '22 at 14:31
  • Thanks for spotting the typo, it should read 'certificate issued by that CA + private key' (as client requires the PK in order to sign the certificate verify message) – ArchiDavid Jul 24 '22 at 14:46

1 Answers1

0

You can configure an Azure Application Gateway for mutual authentication with multiple options.

  • The Application Gateway may be configured to trust a single certificate.
  • The Application Gateway may be configured to trust the immediate issuer and trust all leaf certificates issued by that CA.

What option you use depends on you. But when you opt for the second authentication option, and the immediate issuer is not a CA that you control, then you don't control what is able to authenticate at the application gateway.

Sources from the documentation:

Application Gateway supports certificate based mutual authentication where you can upload a trusted client CA certificate(s) to the Application Gateway and the gateway will use that certificate to authenticate the client sending a request to the gateway.

And:

You have the option to verify the client certificate's immediate issuer and only allow the Application Gateway to trust that issuer. This options is off by default but you can enable this through Portal, PowerShell, or Azure CLI.

Daniel
  • 6,780
  • 5
  • 31
  • 60