In our earlier weblog we mentioned what mutual transport layer safety (mTLS) is and what a few of its use instances are. In this weblog I wish to focus on two of these use instances. First, tips on how to ship shopper certificates to the backend utility server and validate the setup by curl command and second tips on how to arrange OCSP validation and do verification by openssl instructions.
Insert shopper certificates as HTTP header
In some instances, backend purposes might have a shopper certificates that’s obtained by Application Gateway. Client certificates can serve completely different functions as per the necessity of the backend purposes. Some backend servers might have shopper certificates info for audit functions or might wish to situation token or cookie to a shopper certificates. In that case we might have to produce the shopper certificates to the backend. One approach to resolve that is by supplying the certificates in base64 encoded format inside a nonstandard HTTP (Hypertext Transfer Protocol) header. Please be aware, for safety functions and to stop header injections, backend server should settle for the customized header from trusted Application Gateway. Let’s focus on first tips on how to ship shopper certificates to backend utility as customized http header. To obtain which you could arrange a rewrite rule to ship shopper certificates as HTTPS header.
Find extra particulars on tips on how to arrange a rewrite rule in our rewrite URL and question string with Azure Application Gateway documentation.
Below is the rewrite rule which you could create to ship shopper certificates to the backend as an HTTP header. Setup rewrite motion as beneath.
Above is screenshot of Create rewrite set explaining values that have to be populated for Rewrite rule.
Once a rewrite rule is created you possibly can confirm if the backend server is receiving shopper certificates within the HTTP header. To check the setup prerequisite is to have openssl and curl instrument put in in your machine. You ought to have entry to the shopper certificates and shopper non-public key.
Verification steps to verify shopper certificates in customized HTTP header:
Capture the shopper certificates output.
Above is display screen shot exhibiting shopper certificates output.
Run the next commad to ship a request to Application Gateway:
- curl -vk HTTPS://<yourdomain.com> –key shopper.key –cert shopper.crt
In the backend server you must see the header you created within the Application gateway rewrite rule. You must run community capturing instruments like tcpdump on the backend server.
Above screenshot reveals Client certificates that backend has obtained.
Above you possibly can see the X-Client-cert header obtained by backend that we’ve created within the rewrite rule. This header has the shopper certificates that we’ve despatched. The backend server can extract this worth and use it primarily based on the specified use case.
OCSP
Online certificates standing protocol (OCSP) is now supported by Application gateway. Let’s focus on right here tips on how to setup OCSP and validate the setup with openssl command. With OCSP assist you possibly can confirm the standing of the shopper certificates in actual time. This can forestall man-in-the-middle assaults by making certain that the certificates being current remains to be legitimate and has not been compromised. You can get extra particulars about OCSP in RFC 2560. It is straightforward to setup. When a shopper initiates a connection to an Application Gateway configured with mutual TLS authentication, not solely can the certificates chain and issuer’s distinguished title be validated, however revocation standing of the shopper certificates might be checked with OCSP (Online Certificate Status Protocol). During validation, the certificates offered by the shopper can be seemed up by way of the outlined OCSP responder outlined in its Authority Information Access (AIA) extension. In the occasion the shopper certificates has been revoked, the applying gateway will reply to the shopper with an HTTP 400 standing code and purpose. If the certificates is legitimate, the request will proceed to be processed by utility gateway and forwarded on to the outlined backend pool.
Please verify this OCSP hyperlink to allow this functionality. I’ve summarized the PowerShell command to setup OCSP.
$AppGw = Get-AzApplicationGateway -Name “ApplicationGateway01” -ResourceGroupName “ResourceGroup01”
$profile = Get-AzApplicationGatewaySslProfile -Name “SslProfile01” -ApplicationGateway $AppGw
Set-AzApplicationGatewayClientAuthConfiguration -SslProfile $profile -ConfirmClientCertIssuerDN -ConfirmClientRevocation OCSP
Once you’ve arrange OCSP, you possibly can confirm your shopper certificates with the OCSP endpoint utilizing openssl command.
- openssl ocsp -issuer <ca-bundle> -cert shopper.crt -text -url <HTTP://FQDN>
Ca-bundle—certificates authority (CA) that has issued the certificates (uploaded per the hyperlink step 8 from our earlier weblog)
Client.crt—Client certificates
url—This can be OCSP endpoint URL tackle. If you have no idea what the URL is yow will discover the OCSP endpoint of shopper certificates through the use of following command:
- openssl x509 -in shopper.crt -text | grep -I OCSP
OCSP—URL:HTTP://ocsp.sectigo.com
Above is display screen shot of openssl command exhibiting standing of shopper certificates verification.
You ought to see the next response if certificates is legitimate:
Response confirm OK
shopper.crt: good
After verification of your shopper certificates by means of OCSP endpoint, you possibly can confirm the visitors by sending a request to Application Gateway that has OCSP check-enabled.
- curl -vk HTTPS://yourdomain.com –key shopper. Key –cert shopper.crt
In case the certificates isn’t a legitimate shopper certificates, OCSP will reply with both “revoked” or “unknown”. Below is the error for “unknown” certificates.
Conclusion
In this weblog we’ve mentioned two instances that utility gateway helps. You have realized tips on how to ship shopper certificates to backend as HTTP header and confirm the setup through the use of curl command. Also, you’ve realized tips on how to arrange OCSP and confirm the setup by openssl command line.