How do you get multiple certificates (not part of ...

Report Inappropriate Content · 07-05-2016 10:56 AM

If you have multiple clients who each sign their own SAML assertions. How do you get more than one certificate into a truststore? When you attempt to post a new cert (into a keystore/alias), the request fails with a message about the cert already existing.

Report Inappropriate Content

Hi @Michael Atkins ,

I just used the Management APIs to upload multiple self-signed certificates in PEM format to a Truststore that I created. I did not run into any errors where I did the following:

Using openssl, created a self-signed certificate for "Client A" and saved it as clienta.pem
Using openssl, created a self-signed certificate for "Client B" and saved it as clientb.pem
Created a brand new TrustStore in my Apigee Edge environment using the Create Truststore API
Used the Upload a Certificate to a Truststore API to upload clienta.pem with an alias of "clienta"
Used the same upload API to upload clientb.pem with an alias of "clientb"
Just to see if I would get an error about a cert already existing, I used the same upload API to upload clienta.pem again, but with an alias of "clientc"

Are you attempting to post a new cert using the same or different alias? What specific error message are you getting?

Report Inappropriate Content

Thank you @pparekh!!

My understanding was that a Truststore is simply a keystore/alias combination. Are you saying that the alias applies to the certificate and not the store?

If so, I think we simply misunderstood the documentation.

Thank you for responding!

Report Inappropriate Content

@pparekh We need multiple certificates in the same truststore. We have one SAML validation policy that will auth requests from multiple clients who each sign their own assertions. Therefore, I think we need to use the same alias for all the pem files, right?

Report Inappropriate Content

@Michael Atkins - An alias is a required parameter for uploading a certificate to the truststore when using the Upload a Certificate to a Truststore Management API. The alias uniquely identifies a certificate in a given truststore. You cannot use the same alias for multiple certificates since that prevents you from retrieving a specific certificate if/when required.

For the Validate SAML Assertion policy, the configuration, shown below, simply requires the name of the truststore where all the trusted certificates can be found. You don't need to include any specific alias(es) that the policy should use to validate the assertions.

<ValidateSAMLAssertion name="SAML" ignoreContentType="false">
  <Source name="request">
    <Namespaces>
      <Namespace prefix='soap'>http://schemas.xmlsoap.org/soap/envelope/</Namespace>
      <Namespace prefix='wsse'>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</Namespace>
      <Namespace prefix='saml'>urn:oasis:names:tc:SAML:2.0:assertion</Namespace>
    </Namespaces>
    <XPath>/soap:Envelope/soap:Header/wsse:Security/saml:Assertion</XPath>
  </Source>
  <TrustStore>TrustStoreName</TrustStore>
  <RemoveAssertion>false</RemoveAssertion>
</ValidateSAMLAssertion>

So, in your case, upload each trusted certificate using a different alias into the truststore and then reference that truststore in the Validate SAML Assertion policy.

Report Inappropriate Content

Thank you @pparekh. <TrustStore>TrustStoreName</TrustStore> : the value is the same as the KeyStore name, correct? In the Admin UI, every alias becomes a TrustStore entry under a KeyStore. So they appear to be different TrustStores and have a 1:1 relationship to aliases.

does that make sense?

Report Inappropriate Content

@Michael Atkins, yes you need to specify keystore name here. I understand that the way truststores are displayed on the UI is confusing and am logging a enhancement request for the same.

How do you get multiple certificates (not part of a chain) into a truststore?