Should I use a public or a internal CA for client certificate / mTLS?

Question

I am configuring an Azure App Gateway for mutual authentication (mTLS). This question is more generally about when and when not to use public vs internal CAs for client certificates / mutual authentication / mTLS. The use case here is allowing private API traffic from a specific client to a specific server.

The configuration of mutual authentication requires me to configure the server's SSL profile with a concatenated intermediate and root certificate to verify the client certificate during the TLS handshake. I have initially purchased a DigiCert client certificate, which means the server side receives the DigiCert intermediate and root certificate for verification. This just feels wrong for my use case.

With this setup, is this just going to accept ANY certificate from that DigCert CA chain? (which presumably is quite a number of client certificates!) My intention is to restrict access to a specific client (+ redundant/DR clients). If I look at the output from the openssl handshake when configured in this way, I can see that my server is specifying the public intermediate and root certificates that it will accept, thus giving a hint as to where someone could go buy a certificate that would work.

If I am correct, what is the appropriate method to reduce down the number of clients/certificates that the server's client authentication will accept? An Internal CA issuing the certificate, or otherwise?

Answer 1

You can configure an Azure Application Gateway for mutual authentication with multiple options.

• The Application Gateway may be configured to trust a single certificate.
• The Application Gateway may be configured to trust the immediate issuer and trust all leaf certificates issued by that CA.

What option you use depends on you. But when you opt for the second authentication option, and the immediate issuer is not a CA that you control, then you don't control what is able to authenticate at the application gateway.

Sources from the documentation:

Application Gateway supports certificate based mutual authentication where you can upload a trusted client CA certificate(s) to the Application Gateway and the gateway will use that certificate to authenticate the client sending a request to the gateway.

And:

You have the option to verify the client certificate's immediate issuer and only allow the Application Gateway to trust that issuer. This options is off by default but you can enable this through Portal, PowerShell, or Azure CLI.