This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Adding multiple certificate chains to a trust store

on ‎10-09-2016 09:06 PM

Not applicable
1 2 7,223

It is sometimes a requirement to support multiple client certificate chains when the Apigee Virtual host is configured for 2-way SSL. This can be done with a single trust store that is referenced by the virtual host. We simply upload all the certificate chains to the trust store following the usual process mentioned in http://docs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/environments/%7Benv_name%7D.... We need to use a different alias for each certificate chain as aliases need to be unique within a trust store.

For example, if one client certificate is issued by a chain Root CA1 -> Intermediate CA1 and another is issued by a chain Root CA2 -> Intermediate CA2, you upload the first chain into the trust store following the management API link posted above using an alias, say alias1. Then you upload the second chain in the same way using a different alias, say alias2. Now both the client certificates will be allowed by the virtual host during 2-way SSL authentication. There is no need to upload each certificate issued by the chain into the trust store. As long as a chain is in the trust store, any certificate issued by the chain will be allowed by the virtual host at run-time during 2-way SSL authentication. And if you've noticed, the virtual host configuration does not need a trust store alias to be specified (unlike key store alias), it needs only the trust store name, which is aligned with the fact that multiple chains/aliases can be supported by a single trust store referenced by a virtual host.

This ensures that the solution scales as new client certificate chains and client certificates are added.

Topic Labels
Comments
benrodriguez
New Member
‎10-10-2016 07:10 AM

. the instructions were a little unclear so i've set up two trust stores within a single keystore for two way TLS and of course its failing. I'll try the method mentioned in this article today to see if my issues are resolved. Is there ever a reason to have two trust stores in a single keystore?

Not applicable
‎10-10-2016 05:55 PM

If you upload 2 certificate chains with different aliases to a trust store as explained in this article, the UI would show them as though you've set up "2 trust stores in a key store. " Each alias / cert chain shows up as a trust store in the UI and the trust stores show up under a keystore. It may be needed to restart the routers after uploading the chains to the trust store for the configuration to take effect.

One reason for actually creating a different trust store (in this case, it would show up under a different keystore in the UI) is to support 2-way SSL with the back-end target. You would use this trust store in the HTTPTargetConnection in the TargetEndpoint XML to support 2-way SSL with the back-end.

Version history
Last update:
‎10-09-2016 09:06 PM
Updated by: