Using a Client Certificate to authenticate via an Azure Logic App
Today we faced a problem where we needed to interface with a vendor’s SOAP API (*screams in old-person-ese*) which they protect using an internal PKI. They had provided us a certificate to use, but we found that actually using it in the Logic App we built was going to be a little more complicated than we originally expected.
Here’s what we did.
First, the vendor provided us the certificate in
.pem format, while Logic Apps expect to use
.pfx format in the HTTP actions, so we needed to convert it. Luckily, openssl makes this relatively easy:
openssl pkcs12 -export -out certificate.pfx -in certificate.pem -inkey key.pem -passin pass:examplepassword -passout pass:examplepassword
Next, we need to take the
.pfx-formatted certificate and base64 encode it:
cat certificate.pfx | base64
After removing any line breaks to make the result one continuous line of text, we now have a certificate we can pass to the vendor, but we don’t want to store that in the Logic App. It’s not secure and we want secure. What do we do now?
Within Azure, we create a Key Vault, and within that Key Vault we create a secret within which we place the base64-encoded, pfx-converted certificate.
Now we have everything we need to put this all together.
In the Logic App we create an action that reaches out to the Key Vault we created, requests the secret and sets the result as a variable called
PFXKey. We then create an HTTP action that uses “Client Certificate” as the authentication method, and the value of the
PFXKey variable as the variable. We set the password to the password of the certificate (
examplepassword in the example above) and we can now use a POST request type to send the data to the vendor, using Client Certificate authentication, all while keeping the certificate contents and its password secure.