Kindly find below the code used by the client to send the certificate:

Note: He is using python 3.6

import http.client
import ssl


CERT_FILE = '/path/to/cert.pem'
CA_CERT = '/path/to/ca.pem'
KEY_FILE = '/path/to/key.pem'
HOSTNAME = 'OUR_HOST.apigee.net'
SOURCE_HOSTNAME = 'www.client_host.com'


for lp in range(100):
    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
    # context.load_verify_locations(CA_CERT)
    context.load_cert_chain(CERT_FILE, keyfile=KEY_FILE)
    conn = http.client.HTTPSConnection(HOSTNAME, context=context)
    conn.set_debuglevel(4)


    conn.putrequest('POST', 'https://OUR_HOST.apigee.net/endpoint/path/')
    conn.endheaders()


    response = conn.getresponse()
    print(response.read())

Thank you very much Dino, I really appreciate your replies.

But do you think the problem is from Apigee side?, can you check please if there is an missing point? I list here what I did from apigee side:

1. Create a vhost with our certificate.
2. Get the client certificate.
3. Create a new Keystore for the client
4. Create a reference and point it to the created keystore
5. Enable the Client Authorization in vhost
6. Choose the created reference(point 4) in the trust store
7. add the virtual host in my proxy:

	<HTTPProxyConnection>
	 <VirtualHost>virtual host name</VirtualHost>
	</HTTPProxyConnection>

Kindly Advise!

Show the complete vhost? You need a key store as well with a vhost that does 2-way TLS. And a key alias. Show your configuration.

Kindly find below is my vhost configuration, is there any missing?

Name:VHOST_NAME
Port:443
Alias:MY_ALIAS
SSL Info: 
Enabled: true
Client Auth: Enabled
Key Store: OUR_KEYSTORE
Key Alias: MY_KEY_ALIAS
Trust Store: ref://CLIENT_KEYSTORE
Ignore Validation Errors: false
Ciphers<br>

It looks right to me. I don't know what's gone wrong. If this is Apigee Edge SaaS, you may want to open a support ticket. If this is Apigee Edge OPDK then you may want to restart your Edge router.

Or you may want to try again. Remove everything and try again with a new vhost name. Double check everything. Make sure you have the correct cert in the Truststore. (what you have called CLIENT_KEYSTORE).

It can be confusing that there are two different uses for the thing called "keystore" in Apigee Edge. One is as an actual keystore, which you use for authentication of "self"; on inbound requests, this is the Apigee Edge vhost itself. and the other use is as a truststore, which is the store for CA certs that can be used to verify the peer's certificate; on inbound, the peer is the client, obviously, and the Truststore is used to verify the client's cert.

Just a note: It is not always appropriate to load the client cert into the Truststore used by the vhost. The TLS model says that verification of a peer certificate requires a chain of trust that terminates at a Root CA . A Root CA is self-signed. If the client cert is provided by a third party (like LetsEncrypt, or GoDaddy, or GeoTrust or Thawte or any party that issues certificates), then it will not be self-signed. Therefore it will not be a Root certificate, and installing a non-Root cert into the Truststore _shouldn't_ work. What you need to do is install the certs of the chain of signing CA's into the Truststore, insuring that you also include the cert of the Root CA. You would need to install the LetsEncrypt cert, or the GoDaddy cert, etc, into the Truststore. This allows the TLS runtime to verify the signature on the inbound client certificate, down to the terminating, self-signed, root cert. More on this here: https://superuser.com/a/347614/3614

If you have a self-signed cert for the client, then installing the self-signed cert into the Truststore will be appropriate and sufficient.

Thank you Dino, I think it's something related to the certificate structure, currently we are implementing the following structure uploaded in the truststore:

-----BEGIN CERTIFICATE----- 
(Your Primary TLS certificate) 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- 
(Intermediate certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Root certificate or intermediate certificate signed by a root certificate)
 -----END CERTIFICATE-----<br>

even the call from apigee to the backend server (outbound) doesn't work, I use the following code in the service callout:

<HTTPTargetConnection>
        <Properties/>
        <SSLInfo>
            <Enabled>true</Enabled>
            <ClientAuthEnabled>true</ClientAuthEnabled>
            <KeyStore>ref://OUR_APIGEE_CERT</KeyStore>
            <KeyAlias>OUR_ALIAS</KeyAlias>
            <TrustStore>ref://CLIENT_TRUSTSTORE</TrustStore>
        </SSLInfo>
        <URL>SERVER_ENDPOINT</URL>
    </HTTPTargetConnection>

I don't know what else to tell you.

The configuration looks ok, with one exception. Is the trustrstore correct?

Whether for inbound or outbound calls, the TrustStore must contain the cert of the remote peer. In the outbound case, the remote peer is a server. You have it as "CLIENT_Truststore" . that's for sure the wrong label.

Check to see that you have the correct cert there.

Have you started over from the beginning?

If I were you I would break it down. Are the certs encrypted? If so, use non-encrypted certs. Are the keys encrypted? If so, use non-encrypted keys.

If you have an Apigee support contact or Apigee SCA, get them involved.

Good luck.

Thank you very much for your prompt answer, I really appreciate your answers.