Does Azure Key Vault support storing Client Certificates for mTLS authentication?
Example:
- I have an HTTP-triggered Azure Function (Python)
- Has
HTTPS: Yes
andClient Certificates: Required
enabled in the Function App - When user sends a request to the endpoint and passes their Client Certificate, I can read in the cert via the
X-ARR-ClientCert
header - I then want to create a
KeyVaultCertificate
client which will pull the client cert we have on file for said requestor and validate its propertiesnot_valid_before/after
issuer
common_name
ocsp_responder_url
- etc.
Problem:
- Key Vault seems to only allow the upload of server certificates, not client certs.
- It only allows
.pfx
or.pem
file extensions - If I'm not mistaken, a client cert would never be in
.pfx
format because it contains the private key - I tried to split the
.pfx
file into both.pem
(actual certificate) and.key
then upload only the.pem
, but Key Vault didn't like the format.
Does Key Vault handle client certs in this manner or should I just save them as KV Secrets and avoid KV Certificates altogether?
You are mistaken and all your assumptions are incorrect. Mutual TLS requires two sets of certificate and private key, one set for server and another for client. You cannot setup a mutual TLS with two certificates and one private key (like you describe).
Azure Key Vault perfectly supports any kind of certificate, including client and server authentication.