Skip to content

api-management-client-certificate-key-vault.md

Latest commit

 

History

History
71 lines (48 loc) · 3.59 KB

api-management-client-certificate-key-vault.md

File metadata and controls

71 lines (48 loc) · 3.59 KB
author dlepow
ms.service azure-api-management
ms.topic include
ms.date 01/29/2026
ms.author danlep
ms.custom sfi-image-nochange

Prerequisites for key vault integration

[!INCLUDE api-management-key-vault-access]

To create a certificate in the key vault or import a certificate to the key vault, see Quickstart: Set and retrieve a certificate from Azure Key Vault using the Azure portal.

[!INCLUDE api-management-key-vault-network]

Add a key vault certificate

See Prerequisites for key vault integration.

Important

To add a key vault certificate to your API Management instance, you must have permissions to list secrets from the key vault.

Caution

When using a key vault certificate in API Management, be careful not to delete the certificate, key vault, or managed identity that's used to access the key vault.

To add a key vault certificate to API Management:

  1. In the Azure portal, go to your API Management instance.

  2. Under Security, select Certificates.

  3. Select Certificates, then + Add.

  4. In Id, enter a name.

  5. In Certificate, select Key vault.

  6. Enter the identifier of a key vault certificate, or choose Select to select a certificate from a key vault.

    [!IMPORTANT]

    If you enter a key vault certificate identifier yourself, be sure that it doesn't have version information. Otherwise, the certificate won't rotate automatically in API Management after an update in the key vault.

  7. In Client identity, select a system-assigned identity or an existing user-assigned managed identity. For more information, see Use managed identities in Azure API Management.

    [!NOTE]

    The identity needs to have permissions to get and list certificates from the key vault. If you haven't already configured access to the key vault, API Management prompts you so that it can automatically configure the identity with the necessary permissions.

  8. Select Add.

    :::image type="content" source="../articles/api-management/media/api-management-howto-mutual-certificates/apim-client-cert-kv.png" alt-text="Screenshot that shows how to add a key vault certificate to API Management in the portal." lightbox="../articles/api-management/media/api-management-howto-mutual-certificates/apim-client-cert-kv.png":::

  9. Select Save.

Upload a certificate

To upload a client certificate to API Management:

  1. In the Azure portal, go to your API Management instance.

  2. Under Security, select Certificates.

  3. Select Certificates, then + Add.

  4. In Id, enter a name.

  5. In Certificate, select Custom.

  6. Browse to select the certificate .pfx file, and enter its password.

  7. Select Add.

    :::image type="content" source="../articles/api-management/media/api-management-howto-mutual-certificates/apim-client-cert-add.png" alt-text="Screenshot of uploading a client certificate to API Management in the portal.":::

  8. Select Save.