Identifying and Accessing Cert info within a proxy

Not applicable

We have a requirement where we need to extract incoming request's cert info like serial no, cn, dn & send them on the south bound req headers during runtime. I did a POC to see if it is possible to get cert info on the proxy, looks like it is possible by using a management api in a service callout and get the cert info. However wanted to check if there is a better way or recommended way to do this other than using mgmt API. Is it okay to call a mgmt api to get cert info in this case? How to identify the incoming request's cert from keystore?

Solved Solved
2 7 2,129
1 ACCEPTED SOLUTION

Ah, when you say "incoming request's cert info" -- that's not something that you would obtain with a management API call. That is something that the Apigee Edge runtime provides for you, in the message context.

According to this documentation page, you can read client.cn, client.organization, and some other things.

I think you may also be able to read:

ssl.client.i.dn DN of issuer of client cert
ssl.client.i.dn.cn common name of issuer
ssl.client.s.dn DN of subject
ssl.client.s.dn.cn common name of subject
ssl.client.m.serial serial number

I have not been able to verify this on my own.

Give it a shot and tell me how it works for you.

EDIT: Just talked to someone here and they suggested you need to open a support ticket with Apigee to get these variables propagated to your API Proxies.

BTW, To make this happen, you need a vhost with 2-way TLS enabled, eg, like so:

<VirtualHost name="secure-2way">
  <HostAliases>
    <HostAlias>api.mycustomhost.net</HostAlias>
  </HostAliases>
  <Interfaces/>
  <Port>443</Port>
  <Properties/>
  <SSLInfo>
    <ClientAuthEnabled>true</ClientAuthEnabled>
    <Enabled>true</Enabled>
    <KeyAlias>myspecialkey</KeyAlias>
    <KeyStore>ref://myKeystore</KeyStore>
    <TrustStore>myTruststore</TrustStore>
    <IgnoreValidationErrors>false</IgnoreValidationErrors>
  </SSLInfo>
</VirtualHost>

Have you done that? Apigee Edge will verify the client cert if you have used a vhost like this ^^

View solution in original post

7 REPLIES 7

Ah, when you say "incoming request's cert info" -- that's not something that you would obtain with a management API call. That is something that the Apigee Edge runtime provides for you, in the message context.

According to this documentation page, you can read client.cn, client.organization, and some other things.

I think you may also be able to read:

ssl.client.i.dn DN of issuer of client cert
ssl.client.i.dn.cn common name of issuer
ssl.client.s.dn DN of subject
ssl.client.s.dn.cn common name of subject
ssl.client.m.serial serial number

I have not been able to verify this on my own.

Give it a shot and tell me how it works for you.

EDIT: Just talked to someone here and they suggested you need to open a support ticket with Apigee to get these variables propagated to your API Proxies.

BTW, To make this happen, you need a vhost with 2-way TLS enabled, eg, like so:

<VirtualHost name="secure-2way">
  <HostAliases>
    <HostAlias>api.mycustomhost.net</HostAlias>
  </HostAliases>
  <Interfaces/>
  <Port>443</Port>
  <Properties/>
  <SSLInfo>
    <ClientAuthEnabled>true</ClientAuthEnabled>
    <Enabled>true</Enabled>
    <KeyAlias>myspecialkey</KeyAlias>
    <KeyStore>ref://myKeystore</KeyStore>
    <TrustStore>myTruststore</TrustStore>
    <IgnoreValidationErrors>false</IgnoreValidationErrors>
  </SSLInfo>
</VirtualHost>

Have you done that? Apigee Edge will verify the client cert if you have used a vhost like this ^^

Thanks for the pointers Dino, will try this and let you know how it went.

Hi @Arvind Velumani, we have similar requirement to validate the client certificate's UID/Serial number. Were you able to validate @Dino's suggestions ?

Yes it works. We were able to get cert info like serial no propagated to proxies. As suggested, by a support ticket to expose serial number other variables you need. Thanks @Dino

Thanks @Arvind Velumani for the confirmation.


Please note that the latest documentation for this is available at:

https://docs.apigee.com/api-platform/system-administration/tls-vars

Thanks. This helped.