Certificate related Question

nandishnandy
Participant III

The point is that we’ve installed the SSL cert with CN as xxxxxxx in PPE origin server and the endpoint is working from Akamai, as expected, and also from Apigee. Both are hitting the same origin server in the back-end. I reckon, Apigee is going by the its pre-installed root certificate validations from trusted CAs, which in our case is Entrust, and it is not imposing the CN/SAN checks as Akamai is doing

We’re planning to upgrade the SSL cert issued by the same trusted CA in Prod origin server with CN as xxxxxxx and we’re expecting Apigee to work without any issue. ?

Is Apigee don’t do CN/SAN name match at their end like Akamai does?

Solved Solved
0 1 216
1 ACCEPTED SOLUTION

Apigee can do CN verification if you configure it to do so.

You will use the SSLInfo element on the HTTPTargetEndpoint. Per ejemplo

  <HTTPTargetConnection>
    <Properties/>
    
    <SSLInfo>
      <Enabled>true</Enabled>
      <CommonName wildcardMatch="true">*.api.mycompany.com</CommonName>
      <TrustStore>ref://mytruststore</TrustStore>
    </SSLInfo>
    <URL>https://host.api.mycompany.com/v2</URL>
  </HTTPTargetConnection>


Also, yes, Apigee will use pre-installed trusted certs, but I recommend that you do not rely on that, but instead, populate a TrustStore in your environment with the specific certs you need, and configure that TrustStore explicitly in the SSLInfo, as above.

View solution in original post

1 REPLY 1

Apigee can do CN verification if you configure it to do so.

You will use the SSLInfo element on the HTTPTargetEndpoint. Per ejemplo

  <HTTPTargetConnection>
    <Properties/>
    
    <SSLInfo>
      <Enabled>true</Enabled>
      <CommonName wildcardMatch="true">*.api.mycompany.com</CommonName>
      <TrustStore>ref://mytruststore</TrustStore>
    </SSLInfo>
    <URL>https://host.api.mycompany.com/v2</URL>
  </HTTPTargetConnection>


Also, yes, Apigee will use pre-installed trusted certs, but I recommend that you do not rely on that, but instead, populate a TrustStore in your environment with the specific certs you need, and configure that TrustStore explicitly in the SSLInfo, as above.