Truststore on Edge for 2 Way TLS

Hi,

We had requirements to do 2 Way TLS for 2 scenarios

1. Edge is TLS server & TLS client is A

2. Edge is TLS client & TLS server is B

We kept full chain of public certificates for both A and B in the same truststore. The issuing CA was different for both.

Is it a good idea to keep certificates from different CAs in the same trust store?

Has anyone faced a similar scenario

Solved Solved
0 2 399
1 ACCEPTED SOLUTION

Not applicable

Hi,

Technically a single truststore should work. However I would create two. 1 for the northbound traffic (Edge as a server) and the other for the southbound (Edge as a client). That gives you more flexibility if you want to change or update later as you won't need to remember the other CA certs.

Also you can use the new keystore APIs and upload the files a PEM rather that creating jar files. Even easier you can use the new UI. Doing so it will take a just minutes to create a new truststore. (see Beta segments in this listing.

http://docs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/environments/%7Benv_name%7D...

Don't forget you will also need keystores for the client cert and key to implement 2 way SSL.

View solution in original post

2 REPLIES 2

Hi @snehal Chakraborty,

I did not get exact query that you have but I guess you want to know best way to store certs from northbound(apigee acting as a server) and southbound(apigee acting as a client). I will give my experience on this.

The first thing from a maintenance perspective is to keep the certs for southbound and northbound connectivity in separate stores. Here again there will be two categories - certs created by Apigee and certs received by Apigee. The ones created by Apigee are stored in keystores and the ones received by Apigee are stored in truststores.

1. Northbound -

A. Apigee as server - Most of the times, due to different virtual hosts created to cater different types of clients, there are multiple certs created by Apigee. These will contain full cert chain as well as private key so keep them in a separate keystore.

B. Apigee as client - You can keep all these certs at one place since all those are public certs and it is difficult to mention multiple truststores while configuring 2 Way connection in virtual host properties.

2. Southbound -

A. Apigee as server(for 2 way TLS) - Most of the times there is only one domain that is created for backend connections at Apigee's side so you can keep this cert along with private key in a dedicated keystore.

B. Apigee as client - This will again contain public certs received from different backend service providers so you can store them in one truststore.

Please see if this helps.

Thanks,

Santosh

Not applicable

Hi,

Technically a single truststore should work. However I would create two. 1 for the northbound traffic (Edge as a server) and the other for the southbound (Edge as a client). That gives you more flexibility if you want to change or update later as you won't need to remember the other CA certs.

Also you can use the new keystore APIs and upload the files a PEM rather that creating jar files. Even easier you can use the new UI. Doing so it will take a just minutes to create a new truststore. (see Beta segments in this listing.

http://docs.apigee.com/management/apis/post/organizations/%7Borg_name%7D/environments/%7Benv_name%7D...

Don't forget you will also need keystores for the client cert and key to implement 2 way SSL.