Regarding 2 way TLS configuration in APIGEE with backend application

Hi All,

We are trying to set up 2-way TLS connectivity between APIGEE and backend application.

As per the below link :

http://docs.apigee.com/api-services/content/configuring-ssl-edge-backend-service#configuringtwowaytl...

The certificate installation in truststore is required only when certificate is self-signed or not signed by trusted CA.

Do you have any list's of CAs that are trusted by APIGEE by default ? How will we know which all CA's are trusted by APIGEE.

Thanks

0 2 828
2 REPLIES 2

Hi,

I believe the job of apigee is to store all the certificates(in a chain sequence) provided by backend applications in a truststore, mention the truststore name in the target endpoint to validate the same at the time of handshake with backend and establish or terminate the connection based on the validation result.

I guess you should ask full chain of certificates from backend application team and configure it in Apigee in a proper sequence of Root CA to the domain certificate and try this. If it is a self-signed one then only one certificate will have to be uploaded into truststore.

Also please make sure you setup edge specific certificate in a keystore with private key and share only public key and certificate pair with the backend application. You should not share private key with anyone at any point since that only belongs to server application.

Thanks,

Santosh

Hello ,

About to my knowledge, by default Apigee support any CA certs based upon the standard X.509. Below listed few CA .

  • VeriSign Class 1 Public Primary Certification Authority - G3 - VeriSign, Inc.
  • VeriSign Class 2 Public Primary Certification Authority - G3 - VeriSign, Inc.
  • VeriSign Class 3 Public Primary Certification Authority - G3 - VeriSign, Inc.
  • VeriSign Class 3 Public Primary Certification Authority - G4 - VeriSign, Inc.
  • VeriSign Class 3 Public Primary Certification Authority - G5 - VeriSign, Inc
  • Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc
  • SwissSign Gold CA - G2 - SwissSign AG
  • SwissSign Platinum CA - G2 - SwissSign AG
  • SwissSign Silver CA - G2 - SwissSign AGDigiCert High Assurance EV Root CA
  • Entrust Root Certification Authority - G2

In case of self signed certificate,collect it from service provider and then upload in to the trustore.

Thanks,

KP