Share via

Client Certificated needed for mTLS on the Azure Application gateway

Sumit Gaur 345 Reputation points
2025-10-03T17:23:39.4733333+00:00

Hi,

We have a requirement to configure mTLS with a client for one of our APIs. Our setup uses Azure Application Gateway to route traffic to backend azure api management for public traffic.

While reviewing the documentation, I noticed it mentions configuring the client CA certificate on a new custom SSL policy and linking it to the HTTPS listener. However, it doesn’t clearly specify what type of certificate is required from the client side or may be i am not able to understand it clearly.

Could you clarify:

What type of client certificate do we need from the customer to configure mTLS on our side?

  1. Is this the same certificate that we configure on Application Gateway or APIM for custom domains (i.e., the one downloadable from a browser), or is it a different certificate issued by a CA for the client like a pfx file?
Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
0 comments
Answer accepted by question author
  1. Thanmayi Godithi 1,635 Reputation points Microsoft External Staff Moderator
    2025-10-03T18:27:05.57+00:00

    Hi @Sumit Gaur,

    Thank you for reaching out on Microsoft Q&A forum.

    I understand you are configuring mutual TLS (mTLS) on your Application Gateway → API Management setup, and you’d like clarification on what type of client certificate is required.

    When configuring mTLS, Application Gateway requires the trusted client CA certificate(s) to be uploaded. These certificates are used to validate the client certificates presented by your customers during the TLS handshake.
    Mutual authentication overview – Microsoft Docs

    It’s also important that you upload the CA chain (root and intermediate CAs) and not just a leaf certificate. Microsoft’s troubleshooting guide states:

    “If you upload a certificate chain with only a leaf certificate without a CA certificate, the Application Gateway can’t validate client certificates.”
    Troubleshoot mutual authentication – Microsoft Docs

    The certificate you use for custom domains on Application Gateway or APIM (a .pfx with private key) is a server TLS certificate. It’s presented by the gateway to prove its identity to clients (e.g., api.contoso.com).

    The trusted client CA certificate you upload for mTLS is different. It is not the client’s private certificate or pfx file, but the public CA certificate chain that issued the client’s certificate. This allows Application Gateway to validate that any incoming client certs are signed by a trusted CA.

    So, you can request your customer to provide the root or intermediate CA certificate chain that issued their client authentication certificate and upload that CA chain to the Application Gateway’s SSL profile.

    Continue using your existing server TLS pfx certificate separately for HTTPS listener and APIM custom domains.

    This ensures that Application Gateway validates client certificates correctly during handshake, while still presenting your own server identity to the client.

    Kindly let us know if the above helps or you need further assistance on this issue. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.