Azure App Service can be configured to simply pass certificates through to the backend application, without validating the root CA. (Described here although the documentation is outdated at the time of writing). This is useful in the scenario where clients can opt in to use of mTLS and we simply want to validate that a client is using the same certificate they have previously provided to the application.
I can't work out if the same capability is possible with Azure Application Gateway. I understand that the Gateway can be configured to forward the certificate in a custom header, but it seems to only do this if the certificate's root CA is uploaded and validated. Is it possible to forward the certificate on to the backend pool without the root CA uploaded to Application Gateway?
Can Azure Application Gateway pass through mTLS certificates without uploading and validating the CA?
Azure Application Gatewaymay require the root CA certificate to be uploaded and validated in order to forward client certificates to the backend pool. This ensures that the app service, which can pass through certificates without validating the root CA, does not support this capability. The Application Gateway only forwards trusted certificates, which involves validating the root CA. Follow the MS Doc for more details.
In order to configure mutual authentication with the client, or client authentication, Application Gateway requires a trusted client CA certificate chain to be uploaded to the gateway.
Reference: - Overview of mutual authentication with Application Gateway
Overview of TLS termination and end to end TLS with Application Gateway