Document Details

<a name="client-certificate-authentication"></a> #### Client certificate authentication [Client certificate authentication](/entra/identity/authentication/concept-certificate-based-authentication) allows or requires users to authenticate directly with X.509 certificates against their Microsoft Entra ID for applications and browser sign-in. This capability helps you adopt a phishing resistant authentication and authenticate with an X.509 certificate against your Public Key Infrastructure (PKI). > [!IMPORTANT] > > For optimal security, Microsoft recommends using [Microsoft Entra ID](/entra/identity/authentication/overview-authentication) > with [managed identities](/entra/identity/managed-identities-azure-resources/overview) for authentication when possible. > This option provides superior security without having to provide credentials. Azure manages this identity and helps keep > authentication information secure so that you don't have to manage this sensitive information. To set up a managed identity > for Azure Logic Apps, see [Authenticate access and connections to Azure resources with managed identities in Azure Logic Apps](authenticate-with-managed-identity.md). If the **Client certificate** option is available and selected, specify these property values: | Property (designer) | Property (JSON) | Required | Value | Description | |---------------------|-----------------|----------|-------|-------------| | **Authentication** | `type` | Yes | **Client certificate** <br>or <br>`ClientCertificate` | The authentication type to use. You can manage certificates with [Azure API Management](../api-management/api-management-howto-mutual-certificates.md). <br><br></p>**Note**: Custom connectors don't support certificate-based authentication for both inbound and outbound calls. | | **Pfx** | `pfx` | Yes | <*encoded-pfx-file-content*> | The base64-encoded content from a Personal Information Exchange (PFX) file <br><br>To convert the PFX file into base64-encoded format, you can use PowerShell 7 by following these steps: <br><br>1. Save the certificate content into a variable: <br><br> `$pfx_cert = [System.IO.File]::ReadAllBytes('c:\certificate.pfx')` <br><br>2. Convert the certificate content by using the `ToBase64String()` function and save that content to a text file: <br><br> `[System.Convert]::ToBase64String($pfx_cert) | Out-File 'pfx-encoded-bytes.txt'` <br><br>**Troubleshooting**: If you use the `cert mmc/PowerShell` command, you might get this error: <br><br>`Could not load the certificate private key. Please check the authentication certificate password is correct and try again.` <br><br>To resolve this error, try converting the PFX file to a PEM file and back again by using the `openssl` command: <br><br>`openssl pkcs12 -in certificate.pfx -out certificate.pem` <br>`openssl pkcs12 -in certificate.pem -export -out certificate2.pfx` <br><br>Afterwards, when you get the base64-encoded string for the certificate's newly converted PFX file, the string now works in Azure Logic Apps. | | **Password** | `password`| No | <*password-for-pfx-file*> | The password for accessing the PFX file | > [!NOTE] > > If you try to authenticate with a client certificate using OpenSSL, you might get the following error: > > `BadRequest: Could not load private key` > > To resolve this error, follow these steps: > > 1. Uninstall all OpenSSL instances. > 2. Install OpenSSL version 1.1.1t. > 3. Resign your certificate using the new update. > 4. Add the new certificate to the HTTP operation when using client certificate authentication. When you use [secured parameters](#secure-action-parameters) to handle and secure sensitive information, for example, in an [Azure Resource Manager template for automating deployment](../logic-apps/logic-apps-azure-resource-manager-templates-overview.md), you can use expressions to access these parameter values at runtime. This example HTTP action definition specifies the authentication `type` as `ClientCertificate` and uses the [parameters() function](../logic-apps/workflow-definition-language-functions-reference.md#parameters) to get the parameter values: