x509 Certificates are heaven sent. They allow us the capability to do Mutual Authentication, we can secure back end channels, validate clients and in the end they are just a great security construct.
When building a professional API Program one must oversee the capabilities of the API Management appliance (SAAS) to secure the payloads. Having done some work with Azure API Management and x509 certificates I know of the shortcoming and the key features as well as techniques to relay the initial certificate to the back end channel even if that back end channel is also using an x509 certificate.
First and foremost,
We will oversee the different use cases.
- Identifying the client in APIM
- APIM securing a back end channel via an x509 certificate
- Both A and B, where as the API will receive both x509 certificates. One to secure the back end channel , and one to identify a client and possibly make decisions based on this.
- Developer trying to attach an x509 certificate in the developer portal in order to test and API