如何使用 Azure API 管理中的客户端证书身份验证确保后端服务安全How to secure back-end services using client certificate authentication in Azure API Management

API 管理允许你使用客户端证书保护对 API 后端服务的访问。API Management allows you to secure access to the back-end service of an API using client certificates. 本指南介绍如何在 Azure 门户的 Azure API 管理服务实例中管理证书。This guide shows how to manage certificates in the Azure API Management service instance in the Azure portal. 它还说明了如何配置 API 以使用证书来访问后端服务。It also explains how to configure an API to use a certificate to access a back-end service.

有关如何使用 API 管理 REST API 来管理证书的信息,请参阅 Azure API 管理 REST API 证书实体For information about managing certificates using the API Management REST API, see Azure API Management REST API Certificate entity.

先决条件 Prerequisites

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

本指南介绍如何将 API 管理服务实例配置为使用客户端证书身份验证访问 API 的后端服务。This guide shows you how to configure your API Management service instance to use client certificate authentication to access the back-end service for an API. 在执行本文中的步骤之前,应该先为客户端证书身份验证配置后端服务(若要在 Azure 应用服务中配置证书身份验证,请参阅此文)。Before following the steps in this article, you should have your back-end service configured for client certificate authentication (to configure certificate authentication in the Azure App Service refer to this article). 你需要访问证书和密码才能将其上传到 API 管理服务。You need access to the certificate and the password for uploading it to the API Management service.

上传证书 Upload a Certificate

备注

可以使用 Azure 密钥保管库服务中存储的证书来代替上传的证书,如此示例中所示。Instead of an uploaded certificate you can use a certificate stored in the Azure Key Vault service as shown in this example.

添加客户端证书

请按照以下步骤来上传新的客户端证书。Follow the steps below to upload a new client certificate. 如果尚未创建 API 管理服务实例,请参阅教程创建 API 管理服务实例If you have not created an API Management service instance yet, see the tutorial Create an API Management service instance.

  1. 在 Azure 门户中导航到 Azure API 管理服务实例。Navigate to your Azure API Management service instance in the Azure portal.

  2. 从菜单中选择“证书” 。Select Certificates from the menu.

  3. 单击“+ 添加” 按钮。Click the + Add button.

    添加客户端证书

  4. 浏览证书,提供其 ID 和密码。Browse for the certificate, provide its ID and password.

  5. 单击创建Click Create.

备注

证书必须采用 .pfx 格式。The certificate must be in .pfx format. 允许使用自签名证书。Self-signed certificates are allowed.

证书上传后显示在“证书”中 。Once the certificate is uploaded, it shows in the Certificates. 如果有多个证书,请记下所需证书的指纹,以便将 API 配置为使用客户端证书进行网关身份验证If you have many certificates, make a note of the thumbprint of the desired certificate in order to Configure an API to use a client certificate for gateway authentication.

备注

若要在使用某个证书(例如自签名证书)时关闭证书链验证,请执行此常见问题解答中所述的步骤。To turn off certificate chain validation when using, for example, a self-signed certificate, follow the steps described in this FAQ item.

删除客户端证书 Delete a client certificate

若要删除证书,请单击上下文菜单“...” 并选择该证书旁边的“删除” 。To delete a certificate, click context menu ... and select Delete beside the certificate.

删除客户端证书

如果证书被某个 API 使用,则会显示警告屏幕。If the certificate is in use by an API, then a warning screen is displayed. 若要删除证书,必须先将其从配置为使用该证书的 API 中删除。To delete the certificate, you must first remove the certificate from any APIs that are configured to use it.

删除客户端证书失败

将 API 配置为使用客户端证书进行网关身份验证 Configure an API to use a client certificate for gateway authentication

  1. 单击左侧“API 管理” 菜单中的“API” ,然后导航至 API。Click APIs from the API Management menu on the left and navigate to the API.

    启用客户端证书

  2. 在“设计” 选项卡上,单击“后端” 部分的铅笔图标。In the Design tab, click on a pencil icon of the Backend section.

  3. 将“网关凭据” 更改为“客户端证书” ,然后从下拉列表中选择证书。Change the Gateway credentials to Client cert and select your certificate from the dropdown.

    启用客户端证书

  4. 单击“保存” 。Click Save.

警告

此更改立即生效,调用对该 API 的操作时,会使用证书在后端服务器上进行身份验证。This change is effective immediately, and calls to operations of that API will use the certificate to authenticate on the back-end server.

提示

为 API 的后端服务指定网关身份验证的证书时,此证书会成为该 API 的策略的一部分,可以在策略编辑器中查看。When a certificate is specified for gateway authentication for the back-end service of an API, it becomes part of the policy for that API, and can be viewed in the policy editor.

自签名证书Self-signed certificates

如果使用自签名证书,将需要禁用证书链验证使 API 管理能够与后端系统进行通信,If you are using self-signed certificates, you will need to disable certificate chain validation in order for API Management to communicate with the backend system. 否则,它将返回 500 错误代码。Otherwise it will return a 500 error code. 若要配置此项,可以使用 New-AzApiManagementBackend(适用于新后端)或 Set-AzApiManagementBackend(适用于现有后端)PowerShell cmdlet 并将 -SkipCertificateChainValidation 参数设置为 TrueTo configure this, you can use the New-AzApiManagementBackend (for new back end) or Set-AzApiManagementBackend (for existing back end) PowerShell cmdlets and set the -SkipCertificateChainValidation parameter to True.

$context = New-AzApiManagementContext -resourcegroup 'ContosoResourceGroup' -servicename 'ContosoAPIMService'
New-AzApiManagementBackend -Context  $context -Url 'https://contoso.com/myapi' -Protocol http -SkipCertificateChainValidation $true