I have an mTLS setup using Azure Application Gateway in front of an APIM instance. I would like to pass through the client certificate to APIM so that I can validate the thumbprint and or the subject.
I understand that in order to do this I must inject it into a header using a rewrite. E.g. using the "mutual authentication server variable" client_certificate.
Here's the rewrite setup I have (sorry image uploads don't appear to be working at the moment)
| Field | Value |
|---|---|
| Rewrite type | Request Header |
| Action type | Set |
| Header name | Custom header |
| Custom header | X-ARR-ClientCert |
| Header value | {var_client_certificate} |
However X-ARR-ClientCert is empty according to APIM. In fact, if I try to forward any of the mTLS server variables (https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url#mutual-authentication-server-variables) they are all empty.
Any idea why that might be?
If I try the same with a standard server variable. e.g. {var_http_method} it's visible as expected in APIM.
The client certificate is definitely present in the request because it's visible as expected if I access the app service directly bypassing AG.
Naturally I answered my own question straight after... I had forgotten to set up and add an SSL Profile to my listener. Upon doing that with my combined CA certificate I started seeing the details visible in APIM.