This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Restrict Acceptable client certificate CA names in 2 way SSL

Posted on 07-30-2020 06:50 AM
vlalbahadur1
New Member
Reply posted on --/--/---- --:-- AM

Hi,

We have a VHost with 2 way ssl configuration. During handshake Apigee shares "Acceptable client certificate CA names" which is a list of certs installed in trustore. As we have more than 500 certs in the trustore, this list becomes huge and creates issues for some legacy clients.

We are looking for an option to disable this feature. Is there any way to restrict this on VHost level so that Apigee doesn't send "Acceptable client certificate CA names"?

Thanks,

Lal

0 2 666
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

What issue are you facing? We have also MTLS configured and a large number of certificates are there in truststore. We don't see any issue. You may explain little more.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

More details please.

Can you show a tracedump of that network traffic (the TLS handshake)?

Are your clients using SNI?

Are you certain you need all of those Client certs in the truststore? The TLS model allows root CAs to be in the truststore. Your endpoint can trust just the root signing authorities. It does not need to trust every cert that has been signed by those CAs. That's what makes it scalable. If you have 500 certs in the truststore it seems like you're missing some of the benefit of the x.509 model.

0 Likes