As per the Google doc: https://docs.apigee.com/api-platform/system-administration/tls-vars, we can capture set of tls variables post successful mutual authentication but couldn't find the variables for certificate start and expiry dates. How can we capture those variables in an API proxy?
I think you are referring to the x509 certificate for the "remote peer" that is connected to Apigee via HTTPS / TLS. There are two kinds of remote peers - the client for an inbound client call, and the remote "backend" or "upstream" system that you might connect to, via a targetendpoint.
First, some qualifying remarks.
OK, if all of that is clear, then.... let's get to your question. Today there is no built-in way to examine the expiry of a certificate of a client. You do receive the raw certificate, which means you could de-serialize the cert and examine the expiry. If I were doing that, I'd build a Java callout to do the work. Deserializing a certificate from the raw form and extracting the expiry is relatively simple in Java. I don't have a working callout for you, but it should be not so difficult to do.
Here's a repo that parses X509 certificates. I *think* this will work with the raw certificate that is provided to the API Proxy via PropagateTLSInformation .
Hi Dino
Thanks for your answer, This triggers another question, that what if the CA cert in the truststore expired, will the calls from clients whose certs issued by this CA allowed?
Thanks
You can try management api call to get the details of an alias