diff --git a/docs/preview/features/powershell/azure-api-management.md b/docs/preview/features/powershell/azure-api-management.md
index af69de83..8d59c903 100644
--- a/docs/preview/features/powershell/azure-api-management.md
+++ b/docs/preview/features/powershell/azure-api-management.md
@@ -14,6 +14,7 @@ This module provides the following capabilities:
- [Removing all Azure API Management defaults from the instance](#removing-all-azure-api-management-defaults-from-the-instance)
- [Restoring an API Management service](#restoring-an-api-management-service)
- [Setting authentication keys to an API in the Azure API Management instance](#setting-authentication-keys-to-an-api-in-the-azure-api-management-instance)
+- [Uploading private certificates to the Azure API Management certificate store](#uploading-private-certificates-to-the-azure-api-management-certificate-store)
## Installation
@@ -201,3 +202,21 @@ Write-Host "Using API Management instance '$ServiceName' in resource group '$Res
Write-Host "Subscription key header 'my-api-key' was assigned"
Write-Host "Subscription key query parameter 'myApiKey' was assigned"
```
+
+## Uploading private certificates to the Azure API Management certificate store
+Uploads a private certificate to the Azure API Management certificate store, allowing authentication against backend services.
+
+| Parameter | Mandatory | Description |
+| --------------------- | --------- | --------------------------------------------------------------------------------------------- |
+| `ResourceGroupName` | yes | The resource group containing the Azure API Management instance |
+| `ServiceName` | yes | The name of the Azure API Management instance |
+| `CertificateFilePath` | yes | The full file path to the location of the private certificate |
+| `CertificatePassword` | yes | The password for the private certificate |
+
+**Example**
+
+```powershell
+PS> Upload-AzApiManagementCertificate -ResourceGroupName "my-resource-group" -ServiceName "my-api-management-instance' -CertificateFilePath "c:\temp\certificate.pfx" -CertificatePassword "P@ssw0rd"
+# Using API Management instance 'my-api-management-instance' in resource group 'my-resource-group'
+# Uploaded private certificate at 'c:\temp\certificate.pfx'
+```
diff --git a/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.psd1 b/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.psd1
index 7db00b5b..f8407426 100644
--- a/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.psd1
+++ b/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.psd1
@@ -74,7 +74,8 @@ FunctionsToExport = @(
'Backup-AzApiManagementService',
'Remove-AzApiManagementDefaults',
'Restore-AzApiManagementService',
- 'Set-AzApiManagementApiSubscriptionKey')
+ 'Set-AzApiManagementApiSubscriptionKey',
+ 'Upload-AzApiManagementCertificate')
# Cmdlets to export from this module
CmdletsToExport = '*'
diff --git a/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.psm1 b/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.psm1
index c65fa811..e2d03347 100644
--- a/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.psm1
+++ b/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.psm1
@@ -317,3 +317,35 @@ function Set-AzApiManagementApiSubscriptionKey {
}
Export-ModuleMember -Function Set-AzApiManagementApiSubscriptionKey
+
+<#
+ .Synopsis
+ Uploads a certificate to the Azure API Management certificate store.
+
+ .Description
+ Uploads a private certificate to the Azure API Management certificate store, allowing authentication against backend services.
+
+ .Parameter ResourceGroupName
+ The name of the resource group containing the Azure API Management instance.
+
+ .Parameter ServiceName
+ The name of the Azure API Management instance.
+
+ .Parameter CertificateFilePath
+ The full file path to the location of the public certificate.
+
+ .Parameter CertificatePassword
+ The password for the private certificate.
+#>
+function Upload-AzApiManagementCertificate {
+ param(
+ [Parameter(Mandatory = $true)][string] $ResourceGroupName = $(throw "Resource group name is required"),
+ [Parameter(Mandatory = $true)][string] $ServiceName = $(throw "API management service name is required"),
+ [Parameter(Mandatory = $true)][string] $CertificateFilePath = $(throw "Full file path to the certificate is required"),
+ [Parameter(Mandatory = $true)][string] $CertificatePassword = $(throw "Password for certificate is required")
+ )
+
+ . $PSScriptRoot\Scripts\Upload-AzApiManagementCertificate.ps1 -ResourceGroupName $ResourceGroupName -ServiceName $ServiceName -CertificateFilePath $CertificateFilePath -CertificatePassword $CertificatePassword
+}
+
+Export-ModuleMember -Function Upload-AzApiManagementCertificate
diff --git a/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.pssproj b/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.pssproj
index 996f1f45..d516a6a3 100644
--- a/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.pssproj
+++ b/src/Arcus.Scripting.ApiManagement/Arcus.Scripting.ApiManagement.pssproj
@@ -39,6 +39,7 @@
+
diff --git a/src/Arcus.Scripting.ApiManagement/Scripts/Upload-AzApiManagementCertificate.ps1 b/src/Arcus.Scripting.ApiManagement/Scripts/Upload-AzApiManagementCertificate.ps1
new file mode 100644
index 00000000..053d8595
--- /dev/null
+++ b/src/Arcus.Scripting.ApiManagement/Scripts/Upload-AzApiManagementCertificate.ps1
@@ -0,0 +1,13 @@
+param(
+ [Parameter(Mandatory = $true)][string] $ResourceGroupName = $(throw "Resource group name is required"),
+ [Parameter(Mandatory = $true)][string] $ServiceName = $(throw "API management service name is required"),
+ [Parameter(Mandatory = $true)][string] $CertificateFilePath = $(throw "Full file path to certificate is required"),
+ [Parameter(Mandatory = $true)][string] $CertificatePassword = $(throw "Password for certificate is required")
+)
+
+$context = New-AzApiManagementContext -ResourceGroupName $ResourceGroupName -ServiceName $ServiceName
+Write-Host "Using API Management instance '$ServiceName' in resource group '$ResourceGroupName'"
+
+Write-Verbose "Uploading private certificate at '$CertificateFilePath'..."
+New-AzApiManagementCertificate -Context $context -PfxFilePath $CertificateFilePath -PfxPassword $CertificatePassword
+Write-Host "Uploaded private certificate at '$CertificateFilePath'"
diff --git a/src/Arcus.Scripting.Tests.Unit/Arcus.Scripting.ApiManagement.tests.ps1 b/src/Arcus.Scripting.Tests.Unit/Arcus.Scripting.ApiManagement.tests.ps1
index 8a89ccb2..816a2368 100644
--- a/src/Arcus.Scripting.Tests.Unit/Arcus.Scripting.ApiManagement.tests.ps1
+++ b/src/Arcus.Scripting.Tests.Unit/Arcus.Scripting.ApiManagement.tests.ps1
@@ -716,6 +716,30 @@ Describe "Arcus" {
# Act
Set-AzApiManagementApiSubscriptionKey -ResourceGroupName $resourceGroup -ServiceName $serviceName -ApiId $apiId -HeaderName $apiKeyHeaderName -QueryParamName $apiKeyQueryParamName
+ # Assert
+ Assert-VerifiableMock
+ }
+ It "Uploads private certificate to API Management" {
+ # Arrange
+ $resourceGroup = "customer"
+ $name = "customer-name"
+ $filePath = "c:\temp\certificate.pfx"
+ $password = "P@ssw0rd"
+ $stubContext = New-Object -TypeName Microsoft.Azure.Commands.ApiManagement.ServiceManagement.Models.PsApiManagementContext
+
+ Mock New-AzApiManagementContext {
+ $ResourceGroupName | Should -Be $resourceGroup
+ $ServiceName | Should -Be $name
+ return $stubContext } -Verifiable
+
+ Mock New-AzApiManagementCertificate {
+ $Context | Should -Be $stubContext
+ $PfxFilePath | Should -Be $filePath
+ $PfxPassword | Should -Be $password } -Verifiable
+
+ # Act
+ Upload-AzApiManagementCertificate -ResourceGroupName $resourceGroup -ServiceName $name -CertificateFilePath $filePath -CertificatePassword $password
+
# Assert
Assert-VerifiableMock
}