Client Certificate is not trusted in this subdomai...

farhanshirgill · 05-04-2020 03:46 PM

Our operations team have setup a number of virtual hosts with domains we own for hosting endpoints on our Cloud.

We have 3 virtual hosts-

internal - to be used internally for integration purposes with the other departments in our organisation like Siebel CRM...
partner - for organisations with which we do business.
public - as the name suggests

All communication is over TLS.

There is a new partner to whom we have exposed a new API proxy.

When a developer from their team tries to consume our proxy with Postman, all he gets is -

Client Certificate is not trusted in this subdomain and/or this endpoint explicitly

Their postman console shows this as seen in the attached image-

clientrequest.jpg

I see from apigee docs that a

A truststore is required when performing two-way TLS when Edge acts as the TLS server.

Do I need to manually create an entry for the client certificate in Admin > Environment > TLS Keystores. Please suggest. Thanks.

gonzalezruben

If you've enabled Client Authorization in the virtual host that you're trying to consume, then you'll need to maintain a truststore too. To be able validate incoming client certs, Apigee needs to assemble a chain of trust from certs available in virtual host truststore. Adding individual client certs (leaf) per consumer app can become challenging to maintain. You could keep things simple by just including the root and intermediate certs that you want to trust and perform some conditional validations with the client cert variables that are available in the flow. You'll find more information about this topic here.