Adding CA signed client certs to truststore for northbound 2-way TLS connections

For northbound connections to Apigee using 2-way TLS, do we add CA signed client certs to the truststore ?

If so, does truststore act like a white list, rejecting any other CA signed client certs not in truststore ?

1 2 545
2 REPLIES 2

Yes - the Truststore used for a secure vhost is the store of trusted certs; you must include the full CA chain in the store in order for the signed cert to be trusted. If the client presents a cert that is signed by a rootCA that is in the truststore, or that is certified by a CA whose signing chain down to the root CA is in the truststore, then Apigee Edge will allow the inbound request (if you have configured the vhost with ClientAuthEnabled = true.)

<VirtualHost name="TwoWayTLSVHost"> 
    <HostAliases> 
        <HostAlias>api2way.example.com</HostAlias> 
    </HostAliases>
    <Interfaces/> 
    <Port>9006</Port> 
    <SSLInfo> 
        <Enabled>true</Enabled> 
        <ClientAuthEnabled>true</ClientAuthEnabled> 
        <KeyStore>myTestKeystore</KeyStore> 
        <KeyAlias>myKeyAlias</KeyAlias>
        <TrustStore>myTruststore</TrustStore>
    </SSLInfo>
</VirtualHost>

See the documentation for full information on creating and using TrustStores with Vhosts.

FYI: The truststore does not act as an allowlist. It's a store of trusted certificates. Any client cert that was signed by any of the certs in the truststore, will be trusted. To restrict access to particular clients based on the client common name, you must configure your API proxy to look at the client.cn context variable that is populated in the proxy.

See this article for more: https://community.apigee.com/questions/36406/2-way-tls-between-tls-client-and-edge.html