Edge does not validate backend certs. One must create a truststore to enforce validaton of the certs of your targets. As described in the docs. Apigee does not provide a default truststore.
So one has to maintain its own truststore(s). Via the Edge UI, it seems only possible to import certs one by one. Via the management API, certs can be uploaded in automated manner (we need to maintain the TrustStore in each of our 24+ org/env).
And finally, on should never forget to configure <TrustStore> in each and every TargetConnection.
<HTTPTargetConnection> <Properties/> <SSLInfo> <Enabled>true</Enabled> <TrustStore>ref://ref-to-truststore</TrustStore> </SSLInfo>
Questions:
Guy, great question.
It feels to me that maybe the docs could be expanded to cover some of this, but I dunno.
Regardless, here are some of my recommendations.
source for certificates for root CAs:
The best source of root CAs is mkcert.org. I have mentioned mkcert on on the Apigee community previously. It exposes an API through which you can grab certs. I have built a tool that downloads those certs and then puts them into an Apigee Truststore. it's linked in that prior post, and here is another link.
For insuring that Every proxy does the right thing - static analysis in your CI/CD pipeline is what you want.
Enforcing/obliging the use of a truststore by all developers in each and every Target connection remains a challenge.
But uploading major CA root certs from mkcerts.org (@Dino-at-Google: thanks!) into truststore is well feasible with the Management API. Below sample shell script.
#!/bin/bash # # Script to upload CA root certs into Apigee truststore for org-env # Root CA certs are obtained from Mozilla using mkcert.org # The name and alias of the cert are based on the Label, with spaces replaced by dashes # # -u $USERNAME:$PASSWORD ORG=your-org ENV=your-env STORE=truststore name CERTSDIR=./certs/ USERNAME= PASSWORD= # Get list of all certs from mkcerts.org # retrieve Label value from it and remove quotes curl https://mkcert.org/generate/ | grep "# Label" | sed 's/# Label: //g' | tr -d "\"" | while read CERT do echo "CERT =" $CERT ALIAS=`echo $CERT | tr " " "-"` echo "ALIAS =" $ALIAS CERTFILE="$CERTSDIR$ALIAS.pem" echo "CERTFILE =" $CERTFILE # Get certificate, remove lines with comments (#) and empty lines curl -d "[ \"$CERT\" ]" https://mkcert.org/generate/ | sed '/^#/ d' | sed '/^$/d' > $CERTFILE # Upload cert and create alias for it curl -X POST \ -u $USERNAME:$PASSWORD \ -F "certFile=@$CERTFILE" \ "https://api.enterprise.apigee.com/v1/organizations/$ORG/environments/$ENV/keystores/$STORE/aliases?alias=$ALIAS&format=keycertfile&ignoreExpiryValidation=false" done
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |