| title | description | services | author | ms.service | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|
Azure API Management policy reference - authentication-certificate | Microsoft Docs | Reference for the authentication-certificate policy available for use in Azure API Management. Provides policy usage, settings, and examples. | api-management | dlepow | azure-api-management | reference | 07/23/2024 | danlep |
[!INCLUDE api-management-availability-all-tiers]
Use the authentication-certificate policy to authenticate with a backend service using a client certificate. When the certificate is installed into API Management first, identify it first by its thumbprint or certificate ID (resourcename).
[!INCLUDE api-management-credentials-caution]
Caution
If the certificate references a certificate stored in Azure Key Vault, identify it using the certificate ID. When a key vault certificate is rotated, its thumbprint in API Management will change, and the policy will not resolve the new certificate if it is identified by thumbprint.
[!INCLUDE api-management-policy-generic-alert]
<authentication-certificatethumbprint="thumbprint"certificate-id="resource name"body="certificate byte array"password="optional password"/>| Attribute | Description | Required | Default |
|---|---|---|---|
| thumbprint | The thumbprint for the client certificate. Policy expressions are allowed. | Either thumbprint or certificate-id can be present. | N/A |
| certificate-id | The certificate resource name. Policy expressions are allowed. | Either thumbprint or certificate-id can be present. | N/A |
| body | Client certificate as a byte array. Use if the certificate isn't retrieved from the built-in certificate store. Policy expressions are allowed. | No | N/A |
| password | Password for the client certificate. Policy expressions are allowed. | Use if certificate specified in body is password protected. | N/A |
- Policy sections: inbound
- Policy scopes: global, workspace, product, API, operation
- Gateways: classic, v2, consumption, self-hosted, workspace
- We recommend configuring key vault certificates to manage certificates used to secure access to backend services.
- If you configure a certificate password in this policy, we recommend using a named value.
<authentication-certificatecertificate-id="544fe9ddf3b8f30fb490d90f" /> <authentication-certificatethumbprint="CA06F56B258B7A0D4F2B05470939478651151984" /><authentication-certificatebody="@(context.Variables.GetValueOrDefault<byte[]>("byteCertificate"))"password="optional-certificate-password" />[!INCLUDE api-management-policy-ref-next-steps]
