question

ssstestpbix-6504 avatar image
0 Votes"
ssstestpbix-6504 asked NimeshPatel-8517 commented

authentication-certificate configuration in Azure Key Vault from an API Management policy

I'm facing below issue-

One or more fields contain incorrect values:
Error in element 'authentication-certificate' on line 18, column 10: Exactly one of a thumbprint or certificate-id or body must be specified.

I'm configuring correct Certificate-id in inbound policy but getting above error . I have tried with thumbprint and body also .
<inbound>
<base />
<authentication-certificate certificate-id="client-certificate-dev" />
</inbound>



azure-api-managementazure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NimeshPatel-8517 avatar image
0 Votes"
NimeshPatel-8517 answered NimeshPatel-8517 commented

I have same issue. certificate is installed into API Management's Certificate tab (from Key Vault). it still gives the error. Below is the error I receive:

One or more fields contain incorrect values:
Error in element 'authentication-certificate' on line 16, column 10: The Certificate with id 'testKVCert' and thumbprint 'XXXXXXXXXXXXXXXXXX' is configured with KeyVault secret 'https://kvtestldb.vault.azure.net/secrets/CERTtest' and cannot be referenced by thumbprint. Please reference it with certificate-id 'testKVCert' in the policy.

How can I fix this issue? Please help!

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BTW, I followed exactly as mentioned in msft docs (https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates) and also created a poc environment for this issue. However, no luck.

0 Votes 0 ·

@NimeshPatel-8517 As per the error it looks like you are using have referred the certificate using thumbprint but in the case when you are using key vault you need identify it using the certificate ID. In your policy, you need to identify using certificate-id and not with thumbprint as mentioned in the caution section.

If the certificate references a certificate stored in Azure Key Vault, identify it using the certificate ID. When a key vault certificate is rotated, its thumbprint in API Management will change, and the policy will not resolve the new certificate if it is identified by thumbprint.

In case if you still observe the issue I will suggest you to post a new Q&A thread to assist you further.

0 Votes 0 ·

@MayankBargali-MSFT I was using GUI to add the certificate into APIM certificates. Since your suggestion is to use it by manually updating the policy (code), let me try it and update here or open new question as you suggested.

Thank you

0 Votes 0 ·
MayankBargali-MSFT avatar image
0 Votes"
MayankBargali-MSFT answered

Hi @ssstestpbix-6504

Welcome to Microsoft Q&A! Thanks for posting the question.

When you are using authentication-certificate, Please make sure that the certificate needs to be installed into API Management first and is identified by its thumbprint or certificate ID (resource name).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.