question

YannMathieu avatar image
0 Votes"
YannMathieu asked ClaudioResende-8132 answered

Azure API Management policy validate-client-certificate is limited to 10 identities

Hello,

I'm trying to use the validate-client-certificate policy in APIM and I get an error when adding more than 10 identity elements to the identities.
I have more than 10 customers using my API and I need to declare each of their individual certificates.
The documentation doesn't mention such limitations:
https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#validate-client-certificate

Is there another way to do this?


My Policy looks like this

 <policies>
     <inbound>
         <base />
         <validate-client-certificate validate-revocation="true" validate-trust="true" validate-not-before="true" validate-not-after="true" ignore-error="false">
             <identities>
                 <identity common-name="common_name1" />
                 <identity common-name="common_name2" />
                 <identity common-name="common_name3" />
                 <identity common-name="common_name4" />
                 <identity common-name="common_name5" />
                 <identity common-name="common_name6" />
                 <identity common-name="common_name7" />
                 <identity common-name="common_name8" />
                 <identity common-name="common_name9" />
                 <identity common-name="common_name10" />
                 <identity common-name="common_name11" />
             </identities>
           </validate-client-certificate>
     </inbound>
     <backend>
         <base />
     </backend>
     <outbound>
         <base />
     </outbound>
     <on-error>
         <base />
     </on-error>
 </policies>

The error message is :
Error in element 'validate-client-certificate' on line 16, column 10: The element 'identities' has invalid child element 'identity'.

azure-api-management
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@YannMathieu Apology for the delay. I do see that you have created the support ticket for the same and the team is working on your concern.

0 Votes 0 ·

Yes, I also created a Product Feedback
https://feedback.azure.com/forums/248703-api-management/suggestions/43879446-validate-client-certificate-policy-should-not-be-l

If you have any alternative suggestions to this issue I'm still interested.

0 Votes 0 ·

1 Answer

ClaudioResende-8132 avatar image
0 Votes"
ClaudioResende-8132 answered

Any idea for this question?
Alternatively I am using
<choose>
<when condition="@(context.Request.Certificate == null
|| context.Request.Certificate.Thumbprint != “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”
|| context.Request.Certificate.NotAfter<DateTime.Now)">
<return-response>
<set-status code="401" reason="Unauthorized"/>
<set-body>@{
return new JObject(
new JProperty("title", "Invalid client certificate"),
new JProperty("status", "403"),
new JProperty("detail", "Invalid certificate provided, please try again with a valid certificate").ToString();
}
</set-body>
</return-response>
</when>
</choose>

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.