July 13, 2024
Exploring mTLS setup to ship a shopper certificates to the backend and OCSP validation | Azure Weblog and Updates

In our earlier weblog we mentioned what mutual transport layer safety (mTLS) is and what a few of its use circumstances are. On this weblog I need to talk about two of these use circumstances. First, how one can ship shopper certificates to the backend software server and validate the setup by curl command and second how one can arrange OCSP validation and do verification by openssl instructions.

Insert shopper certificates as HTTP header

In some circumstances, backend functions might have a shopper certificates that’s acquired by Utility Gateway. Consumer certificates can serve totally different functions as per the necessity of the backend functions. Some backend servers might have shopper certificates info for audit functions or might need to concern token or cookie to a shopper certificates. In that case we might have to produce the shopper certificates to the backend. One option to resolve that is by supplying the certificates in base64 encoded format inside a nonstandard HTTP (Hypertext Switch Protocol) header. Please observe, for safety functions and to stop header injections, backend server should settle for the customized header from trusted Utility Gateway. Let’s talk about first how one can ship shopper certificates to backend software as customized http header. To attain that you would be able to arrange a rewrite rule to ship shopper certificates as HTTPS header.

Discover extra particulars on how one can arrange a rewrite rule in our rewrite URL and question string with Azure Application Gateway documentation.

Under is the rewrite rule that you would be able to create to ship shopper certificates to the backend as an HTTP header. Setup rewrite motion as under.

Screenshot of Create rewrite set explaining values that need to be populated for Rewrite rule.

Above is screenshot of Create rewrite set explaining values that have to be populated for Rewrite rule.

As soon as a rewrite rule is created you’ll be able to confirm if the backend server is receiving shopper certificates within the HTTP header. To check the setup prerequisite is to have openssl and curl instrument put in in your machine. It is best to have entry to the shopper certificates and shopper non-public key.

Verification steps to verify shopper certificates in customized HTTP header:

Seize the shopper certificates output.

Screen shot showing client certificate output.

Above is display shot displaying shopper certificates output.

Run the next commad to ship a request to Utility Gateway:

  • curl -vk HTTPS://<yourdomain.com> –key shopper.key –cert shopper.crt

Within the backend server it’s best to see the header you created within the Utility gateway rewrite rule. You’ll have to run community capturing instruments like tcpdump on the backend server.

Screenshot shows Client certificate that backend has received

Above screenshot exhibits Consumer certificates that backend has acquired.

Above you’ll be able to see the X-Consumer-cert header acquired by backend that we’ve created within the rewrite rule. This header has the shopper certificates that we’ve despatched. The backend server can extract this worth and use it primarily based on the specified use case.

OCSP

On-line certificates standing protocol (OCSP) is now supported by Utility gateway. Let’s talk about right here how one can setup OCSP and validate the setup with openssl command. With OCSP help you’ll be able to confirm the standing of the shopper certificates in actual time. This may stop man-in-the-middle assaults by making certain that the certificates being current continues to be legitimate and has not been compromised. You will get extra particulars about OCSP in RFC 2560. It’s straightforward to setup. When a shopper initiates a connection to an Utility Gateway configured with mutual TLS authentication, not solely can the certificates chain and issuer’s distinguished identify be validated, however revocation standing of the shopper certificates may be checked with OCSP (On-line Certificates Standing Protocol). Throughout validation, the certificates introduced by the shopper will probably be seemed up through the outlined OCSP responder outlined in its Authority Data Entry (AIA) extension. Within the occasion the shopper certificates has been revoked, the appliance gateway will reply to the shopper with an HTTP 400 standing code and purpose. If the certificates is legitimate, the request will proceed to be processed by software gateway and forwarded on to the outlined backend pool.

Please verify this OCSP link to allow this functionality. I’ve summarized the PowerShell command to setup OCSP.

$AppGw = Get-AzApplicationGateway -Identify “ApplicationGateway01” -ResourceGroupName “ResourceGroup01”

$profile = Get-AzApplicationGatewaySslProfile -Identify “SslProfile01” -ApplicationGateway $AppGw

Set-AzApplicationGatewayClientAuthConfiguration -SslProfile $profile -VerifyClientCertIssuerDN -VerifyClientRevocation OCSP

Upon getting arrange OCSP, you’ll be able to confirm your shopper certificates with the OCSP endpoint utilizing openssl command.

  • openssl ocsp -issuer <ca-bundle> -cert shopper.crt -text -url <HTTP://FQDN>

Ca-bundle—certificates authority (CA) that has issued the certificates (uploaded per the link step 8 from our earlier weblog)

Consumer.crt—Consumer certificates

url—This will probably be OCSP endpoint URL handle. For those who have no idea what the URL is you could find the OCSP endpoint of shopper certificates through the use of following command:

  • openssl x509 -in shopper.crt -text | grep -I OCSP

OCSP—URL:HTTP://ocsp.sectigo.com

Screen shot of openssl command showing status of client certificate verification.

Above is display shot of openssl command displaying standing of shopper certificates verification.

It is best to see the next response if certificates is legitimate:

Response confirm OK

shopper.crt: good

After verification of your shopper certificates by way of OCSP endpoint, you’ll be able to confirm the site visitors by sending a request to Utility Gateway that has OCSP check-enabled.

  • curl -vk HTTPS://yourdomain.com –key shopper. Key –cert shopper.crt

In case the certificates isn’t a sound shopper certificates, OCSP will reply with both “revoked” or “unknown”. Under is the error for “unknown” certificates.

Conclusion

On this weblog we’ve mentioned two circumstances that software gateway helps. You’ve gotten discovered how one can ship shopper certificates to backend as HTTP header and confirm the setup through the use of curl command. Additionally, you have got discovered how one can arrange OCSP and confirm the setup by openssl command line.

Be taught extra and get began with Azure Utility Gateway