Share via

How can I log the thumbprint of a certificate used in APIM mTLS communication

richmond eric-okolai 1 Reputation point
2024-12-11T14:28:47.9333333+00:00

I have configured mTLS authentication on APIM using the steps in the document. Now after uploading the certificate to the APIM instance and the specifying its Thumbprint in the second when element, everything worked fine until recently when requests on Postman using the correct certificate returned the status of Thumbprint challenge failed when the wrong certificate is used.

<choose>

        <when condition="@(context.Request.Certificate == null)">

            <return-response>

                <set-status code="403" reason="Missing client certificate" />

            </return-response>

        </when>

        <when condition="@(context.Request.Certificate.Thumbprint != "")">

            <return-response>

                <set-status code="403" reason="Certificate present but Thumbprint Challenge Failed" />

            </return-response>

        </when>

  </choose>

I am interested in seeing how I can log the Context.Request.Certificate.Thumbprint so i can compare the thumbprint of the incoming request to what is supplied in the policy to help with troubleshooting.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,242 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shireesha Eeraboina (Quadrant Resource LLC) 575 Reputation points Microsoft Vendor
    2024-12-31T07:11:57.05+00:00

    Hello @richmond eric-okolai ,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    To troubleshoot the Thumbprint challenge failure, log the thumbprint of the incoming certificate in your APIM policy. This will allow you to compare the thumbprint of the incoming request with the one specified in your policy.

    Here's how you can do it first use the trace policy to log the thumbprint of the incoming certificate and below is an example of how you can modify your APIM policy to include logging:

    <choose>

    <when condition="@(context.Request.Certificate == null)">

    <return-response>

    <set-status code="403" reason="Missing client certificate" />

    </return-response>

    </when>

    <when condition="@(context.Request.Certificate.Thumbprint != "expected_thumbprint")">

    <return-response>

    <set-status code="403" reason="Certificate present but Thumbprint Challenge Failed" />

    </return-response>

    </when>

    <otherwise>

    <trace>

    <message>Incoming certificate thumbprint: @(context.Request.Certificate.Thumbprint)</message>

    </trace>

    <!-- Your existing policy logic -->

    </otherwise>

    </choose>

    Now trace policy logs the thumbprint of the incoming certificate.

    You can then check the logs to see the thumbprint and compare it with the expected thumbprint specified in your policy also, ensure that the thumbprint specified in your APIM policy matches the thumbprint of the certificate you uploaded.

    And make sure that the certificate you are using is still valid and has not expired.

    if you have any further query do let us know.

    Thankyou.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.