This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to restrict client to only use certificate issued by certain certificate authorities

Posted on 07-24-2018 10:30 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

We have configured Edge for two way TLS and everything is working fine. For testing we are using client certificate issued by Verisign. We have not added any CA certificate to the truststore but the client certificate is still being verified. How does apigee is validating the authenticity of a client certificate even though we have not added any Verisign certificate to the truststore. So that this mean any certificate issued by a public CA will automatically be validating by Apigee, if yes then how can we restrict this behavior to certain CAs only.

Thanks

0 5 410
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

We have configured Edge for two way TLS

I think you are saying you have configured a Virtual Host for 2-way TLS. Is that right? This means you want Apigee Edge to validate the identity of the client sent with the inbound call. Is that right?

And the Truststore you specify there, has no certificates. Is that right?

Can you show the result of 

curl -i $mgmtserver/v1/o/$ORG/e/$ENV/virtualhosts/$VHOST

And also similar for the TrustStore named in that vhost

curl -i $mgmtserver/v1/o/$ORG/e/$ENV/keystores/$truststore/certs

If you have a valid truststore that is empty (no certs) then I would expect a vhost using that Truststore to always reject inbound clients. If that is not occurring then I suggest that you file a bug. But let us together check the configuration first.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to dchiesa1
Reply posted on --/--/---- --:-- AM
I think you are saying you have configured a Virtual Host for 2-way TLS. Is that right?

Yes.

This means you want Apigee Edge to validate the identity of the client sent with the inbound call. Is that right?

Yes

And the Truststore you specify there, has no certificates. Is that right?

Yes, as can be seen in the response for GET Truststore API

{
    "aliases": [],
    "certs": [],
    "keys": [],
    "name": "northTrustStore"
}

So with this configuration when client makes a call with a certificate signed by Entrust, the call goes through and we get the results instead of an error.

Following is the configuration of virtual host.

{
    "hostAliases": [
        "xxxxxxxx-twoway.xxxxxxxxxxxxxxx.com"
    ],
    "interfaces": [],
    "listenOptions": [],
    "name": "twoWay",
    "port": "443",
    "propagateTLSInformation": {
        "clientProperties": true,
        "connectionProperties": true
    },
    "properties": {
        "property": [
            {
                "name": "ssl_protocols",
                "value": "TLSv1.2"
            }
        ]
    },
    "retryOptions": [],
    "sSLInfo": {
        "ciphers": [],
        "clientAuthEnabled": "true",
        "enabled": "true",
        "ignoreValidationErrors": false,
        "keyAlias": "xxxxxxxxxxxxxxxx.com",
        "keyStore": "ref://north",
        "protocols": [],
        "trustStore": "ref://northTrustStore"
    }
}

And in the trace we can clearly see the client cert info been populated in headers

7203-capture.jpg

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to
Reply posted on --/--/---- --:-- AM

OK that sounds like an embarrassing bug! I suggest you file a ticket with support.

@Peter Johnson FYI

In the meantime, Have you tried working around the problem by installing a self-signed (throwaway) cert in that truststore? Maybe it's an edge case that the vhost is not using the truststore properly if it is empty. IF you put SOMETHING into it, then that might avoid the edge case.

I haven't tested this myself. Just making a suggestion.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

We tested the self-signed certificate and it works as expected. Seems like apigee has a concept of Apigee's base certificate store, as mentioned by someone on the support portal and this is what they mentioned.

"There are times when the chain is not needed if the root certificate is already present in Apigee's base certificate store, much like web browsers which are often distributed with a pack of trusted root certificates"

So if the above is true than the only purpose of truststore serves is to validate self-signed certifcate.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to
Reply posted on --/--/---- --:-- AM

We tested the self-signed certificate and it works as expected.

Can you explain in more detail what you mean by "Tested" and "works"? Did you try to invoke a 2-way TLS vhost that refers to a Truststore containing only one self-signed cert, using a client-side cert signed by Entrust? And what happened?

0 Likes