Getting complete certificate chain of MATLS

Hi

we want to achieve ocsp through java code and for this we need complete certificate chain as ocsp code requires leaf as well as issuer certificate. Apigee variables are capturing the leaf certicate and passing to message processor but we need issuer cert as well

has anyone faced this issue?

0 3 209
3 REPLIES 3

Nope, I don't think it's possible to do that.

You can get the client certificate and other information extracted from the client certificate.

It is not possible for the API Proxy to retrieve the entire cert chain. Not today anyway!

What do you mean by "leaf and issuer cert"? Do you need the entire chain? Or do you need only 2 - the leaf cert and the cert of the issuer of that cert? I'm not clear, you have said both.

I am not an expert in OCSP, but my understanding is that all that is required is the certificate in question, and the address of the OCSP responder, which is often included in the certificate anyway. So to use OCSP as a client, you really just need the one certificate.

Why do you say you the entire chain? I guess you're trying to do OCSP validation of each of the certificates in the chain of certs?

navaarul
Participant I

I have encountered similar situation where I need to send the client certificate and its issuer certificate to OCSP responder URL, failing to attach the issuer certificate in the OCSP request resulted in a failure OCSP response status (UNAUTHORIZED)

So we have implemented a custom solution using Java Callout in which we download the issuer certificate from the Apigee Truststore by making a HTTP call to Apigee Management API 

https://api.enterprise.apigee.com/v1/o/%s/environments/%s/keystores/%s/certs/%s-cert/export

 Once we got the issuer cert we attach both client cert and issuer cert in the OCSP request and send a http request to the OCSP responder URL, we got a successful response back