Root CA of Azure Sphere DAA certificate not on list of accepted Root CAs for Azure Function Apps through Azure App Services

Vo 1 Reputation point
2021-10-14T10:04:01.21+00:00

I am creating a system whereby an Azure Sphere HSM App (client) connects to an Azure Function App (server) via mutual authentication through TLS. Having set the option for Incoming Client Certificate to "Require" in the app service configurations and attempting to make a connection between the HSM and Azure Function, the TLS request fails at the stage before the function is even run. I believe this is because in the HSM app, it sends the certificate chain for the current Azure Sphere Tenant which has a root CA signed by "Azure Sphere Root Certificate Authority 2020." Upon checking the list of trusted Root CAs in Azure App Services, the Azure Sphere root CA is not in this list and hence the Azure App Services rejects the request from the HSM and does not even get to running the Azure Function App.

Could this Root CA be added to the accepted list of Root CAs so that Azure App Services can allow the HSM to call the Azure Function using TLS. I would have thought this service would accept Azure Sphere certificates since they are both Microsoft services.

Thanks

Azure Sphere
Azure Sphere
An Azure internet of things security solution including hardware, operating system, and cloud components.
157 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,310 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,930 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Susmitha Kothari 6 Reputation points Microsoft Employee
    2021-10-14T21:12:04.46+00:00

    Hello Vo-0946,

    If we understand this correctly, it seems like your issue is similar to the one noted in this stackoverflow article: https://stackoverflow.com/questions/64289883/mtls-using-azure-function-http-trigger.

    It notes that Azure Function doesn't do any validation, but only forwards the certificate in a header and your app needs to do the validation. This documentation will be useful for your scenario: https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth#access-client-certificate

    Thank you,
    Susmitha

    1 person found this answer helpful.
  2. Susmitha Kothari 6 Reputation points Microsoft Employee
    2021-10-27T15:36:38.413+00:00

    Hello An Vo,

    Apologies for delay in responding. We are looking at this scenario and will provide an update this week.

    Thank you,
    Susmitha

    0 comments
  3. Susmitha Kothari 6 Reputation points Microsoft Employee
    2021-10-27T17:55:46.377+00:00

    Hello An Vo,

    I'm looking to understand the use case / scenario you are trying to achieve with Azure App Service. Is going through Azure IoT Hub or Azure IoT Central a viable option?

    https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-event-iot-output?tabs=csharp
    https://learn.microsoft.com/en-us/azure/iot-central/core/howto-configure-rules#create-a-webhook-action

    Thank you,
    Susmitha