Logo of Trend Micro

Enable Incoming Client Certificates

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: AppService-008

Ensure that your Microsoft Azure App Service web applications are configured to request an SSL certificate for all incoming requests, for security and compliance purposes. Once the certificate is implemented, only web clients that have this valid SSL certificate will be able to reach your application. By default, incoming client certificates are disabled for Azure App Service web applications.

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

The SSL/TLS mutual authentication approach utilized in enterprise cloud environments ensures the authenticity of web clients to the application server. If incoming client certificates are enabled, then only an authenticated client with a valid SSL certificate can access the web application.

Audit

To determine if your Azure App Service web applications are configured to use incoming client certificates, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the App Service web application that you want to examine.

04 In the navigation panel, under Settings, select TLS/SSL settings to access the TLS/SSL configuration settings available for the selected application.

05 On the TLS/SSL settings panel, in the Protocol Settings section, check Incoming client certificates configuration setting. If Incoming client certificates is set to Off, the selected Microsoft Azure App Service web application is not configured to use an SSL certificate for incoming requests.

06 Repeat steps no. 3 – 5 for each Azure App Service web application deployed in the current subscription.

07 Repeat steps no. 3 – 6 for other subscriptions created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp list command (Windows/macOS/Linux) using custom query filters to list the IDs of all App Service web applications available in your Azure subscription: 

az webapp list
	--query '[*].id'

02 The command output should return the requested web application IDs: 

[
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app",
"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-main-webapp"
]

03 Run webapp show command (Windows/macOS/Linux) using the ID of the web app that you want to examine as identifier parameter and custom query filters to obtain the "Incoming client certificates" feature status for the selected web application: 

az webapp show
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
	--query 'clientCertEnabled'

04 The command output should return the requested feature status available for the specified web app (true for enabled, false for disabled): 

false

If the webapp show command output returns false, as shown in the output example above, the selected Microsoft Azure App Service web application is not configured to use an SSL certificate to authenticate incoming client requests.

05 Repeat step no. 3 and 4 for each Azure App Service application deployed within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To update the TLS/SSL configuration settings for your Microsoft Azure App Service web applications in order to enable incoming client certificates, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to App Services blade at https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Web%2Fsites.

03 Click on the name of the web application that you want to reconfigure (see Audit section part I to identify the right application).

04 In the navigation panel, under Settings, select TLS/SSL settings to access the TLS/SSL configuration settings available for the selected web application.

05 On the TLS/SSL settings panel, in the Protocol Settings section, select On next to Incoming client certificates to enable the "Incoming client certificates" feature for the selected application. Once the feature becomes active, the Azure Management Console should display the following confirmation message: "Successfully enabled client certificate".

06 Repeat steps no. 3 – 5 for each Azure App Service web application that you want to reconfigure to enable incoming client certificates, available within the current subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run webapp update command (Windows/macOS/Linux) using the ID of the Microsoft Azure App Service web application that you want to reconfigure as identifier parameter (see Audit section part II to identify the right app) to enable "Incoming client certificates" feature for the selected web application: 

az webapp update
	--ids "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
	--set clientCertEnabled=true

02 The command output should return the reconfigured Azure App Service web application metadata: 

{
  "availabilityState": "Normal",
  "clientAffinityEnabled": false,
  "clientCertEnabled": true,
  "clientCertExclusionPaths": null,
  "cloningInfo": null,
  "containerSize": 0,
  "dailyMemoryTimeQuota": 0,
  "defaultHostName": "cc-ecommerce-app.azurewebsites.net",
  "enabled": true,
  "geoDistributions": null,
  "hostNamesDisabled": false,
  "hostingEnvironmentProfile": null,
  "httpsOnly": false,
  "hyperV": false,
  "identity": null,
  "inProgressOperationId": null,
  "isDefaultContainer": null,
  "isXenon": false,
 
  ...
 
  "kind": "app,linux",
  "lastModifiedTimeUtc": "2019-09-23T10:15:23.180000",
  "location": "West Europe",
  "maxNumberOfWorkers": null,
  "name": "cc-ecommerce-app",
  "redundancyMode": "None",
  "repositorySiteName": "cc-ecommerce-app",
  "reserved": true,
  "resourceGroup": "cloud-shell-storage-westeurope",
  "scmSiteAlsoStopped": false,
  "siteConfig": null,
  "slotSwapStatus": null,
  "state": "Running",
  "suspendedTill": null,
  "tags": null,
  "targetSwapSlot": null,
  "trafficManagerHostNames": null,
  "type": "Microsoft.Web/sites",
  "usageState": "Normal"
}

03 Repeat step no. 1 and 2 for each Microsoft Azure App Service application that you want to reconfigure in order to enable incoming client certificates, available in the current subscription.

04 Repeat steps no. 1 – 3 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Sep 30, 2019

Related AppService rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Incoming Client Certificates

Risk level: Medium