This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Whether APIGEE edge support OCSP validator?

Posted on 02-10-2022 07:30 AM
kalaivani
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Team,

I am using APIGEE edge cloud and have enabled mTLS in Virtual host with  Client's root and Issuing Certificate added in Trust store.

Followed the below steps to test Client's certificate

    1. In APIGEE API request, added client certificate and connection is established with API proxy

    2. In case of Client certificate is not sent in the request , I am getting 400 Bad request with "No SSL certificate"

Currently I am able to access API proxies even though the Client certificate is revoked. To address this I  have added  "oCSPStapling""on"  property in Virtual Host. But after adding this property also I am able to access APIGEE proxy API with revoked client certificate. 

Please let me know what is the fix for this issue.

Solved Solved
0 3 292
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

When you configure OCSP stapling on the Virtual Host, the Apigee will transmit the OCSP response to the client, to support the client's ability to evaluate whether the server's cert has been revoked. So that does not affect how Apigee treats the validation of the client certificate. 

To implement checking of revocation of client certs within Apigee, you will need to add some extra logic. It's not a simple "checkbox" configuration change. 

See here for a working example. 

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Adding to dino's response.

Once you enable JC, make sure you have firewall's enabled to the CA's OCSP/CRL endpoint.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

When you configure OCSP stapling on the Virtual Host, the Apigee will transmit the OCSP response to the client, to support the client's ability to evaluate whether the server's cert has been revoked. So that does not affect how Apigee treats the validation of the client certificate. 

To implement checking of revocation of client certs within Apigee, you will need to add some extra logic. It's not a simple "checkbox" configuration change. 

See here for a working example. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
kalaivani
Bronze 1
Bronze 1
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

As you suggested I have followed the java projects,shared flow and policies in the above link you have shared and it worked fine. Thanks for your support.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Adding to dino's response.

Once you enable JC, make sure you have firewall's enabled to the CA's OCSP/CRL endpoint.

Jump to Solution
0 Likes
Top Solution Authors
View all