This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Cannot create Virtual host with certificate uploaded in Keystore, signed by internal CA

Posted on 01-25-2018 10:39 AM
Not applicable
Reply posted on --/--/---- --:-- AM

@Anil Sagar Here our need is to create mutual TLS in Apigee Edge. We need a new virtual host with our own certificates to be created in prod environment for making this TLS communication. We have an internal CA which is not a external verified CA. We have created a Keystore in Apigee and uploaded Private Key and Certificate (signed by our root CA private key) in Apigee Edge Keystore. Since our CA is not a verified CA, we have also created a Truststore and uploaded the root CA cert in the Truststore.

Now while creating virtual host using the keystore and truststore, it is giving the following error:

{

"code":"messaging.config.beans.VirtualHostCACertValidationError",

"message":"Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be not be trusted by java trust anchors or CAs",

"contexts":[]

}


We have tried both the options - one with API call and other from Edge portal for creating keystores/truststores. With API we uploaded certificate JAR file and from portal we uploaded the private key and certificate separately. But getting the same error in both cases. Any help on this topic from Apigee SME would be highly appreciated.

Regards,

Bhaskar

0 4 914
Topic Labels
0 Likes
Reply
4 REPLIES 4

Posted on --/--/---- --:-- AM
madhans
Staff
Reply posted on --/--/---- --:-- AM

Hope you have followed the doc here

https://docs.apigee.com/api-services/content/keystores-and-truststores#aboutkeystoresandtruststores-...

to capture the cert chain for your self-signed certs. Your internal CA and any intermediate certs needs to be part of the keystore.

You can use openssl command like the following to verify the cert chain before uploading it to Apigee.

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

You can use a command like the following to make a call with the client cert.

curl -v -k -E ./certificate.pfx:password http://url
0 Likes
Reply

Posted on --/--/---- --:-- AM
Not applicable
In response to madhans
Reply posted on --/--/---- --:-- AM

Hi Madhan,

Thanks for your response. I have verified the cert chain using openssl command you suggested, and its shows 'OK', so I believe my cert chain is fine. Is there any restriction of creating VHOST? Do I need to contact Apigee support for creating new VHOST?

Regards,

Bhaskar

0 Likes
Reply

Posted on --/--/---- --:-- AM
pbagadiya
New Member
Reply posted on --/--/---- --:-- AM

@bhaskar.basu - Did you mange to resolve above mention issue?

I am having a similar issue so I am interested in how did you resolve the above issue. Any help is appreciated.

Thank you !

0 Likes
Reply

Posted on --/--/---- --:-- AM
yuriyl
Staff
Reply posted on --/--/---- --:-- AM

If you are talking about Cloud, according to the official documentation you cannot have self-signed certificate:

https://docs.apigee.com/api-platform/fundamentals/configuring-virtual-hosts-cloud

"You can only create a virtual host that supports TLS over HTTPS. You must have already created a keystore, and optionally a truststore, containing your TLS cert and key.

You must have a cert signed by a trusted entity, such as Symantec or VeriSign. You cannot use a self-signed cert."

0 Likes
Reply