Hi,
We are implementing mutual SSL authentication for inbound calls to APigee. The client certificates can be issued by multiple CAs, so we can't add just one CA. How to add multiple CAs to trust all the client certificate?
Thanks
Shiv
Solved! Go to Solution.
Easy to accomplish using Management API
1. Create a truststore you will use for your VHost configuration.
curl -i -u "$USERNAME::$PASSWORD" -n -H "Content-Type: text/xml" -d '<KeyStore name="truststorewithmanycacertficates"/>' https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores
2. Keep adding CA trust certificates to the truststore ad nauseam.
# repeat for each cert-<x> curl -i -u "$USERNAME:$PASSWORD" -n -H "Content-Type: multipart/form-data" -F certFile="@cert-2.pem" "https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores/truststorewithmanycacertficates/aliases?alias=cert-<x>&format=keycertfile"
3. Validate the list of certificate aliases
curl -i -u "$USERNAME:$PASSWORD" -n https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores/truststorewithmanycacertfica...
4. Refer to it in the VHOST configuration that enables and configure mTLS
curl -i -u "$USERNAME:$PASSWORD"-n -H "Content-Type: application/json" https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/virtualhosts -d ‘{ "name": "exco-vhost", "hostAliases": ["exco-test.apigee.net"], "port": "443", "ocspStapling" : "off", "baseUrl" : "https://api.exco.com", "SSLInfo": { "enabled": true, "keyStore": "freetrial", "keyAlias": "freetrial", "clientAuthEnabled": true, "trustStore": "truststorewithmanycacertficates" }, "propagateTLSInformation" : { "clientProperties" : false, "connectionProperties" : false } }'
See for details: https://docs.apigee.com/api-platform/system-administration/creating-keystores-and-truststore-cloud-u...
Easy to accomplish using Management API
1. Create a truststore you will use for your VHost configuration.
curl -i -u "$USERNAME::$PASSWORD" -n -H "Content-Type: text/xml" -d '<KeyStore name="truststorewithmanycacertficates"/>' https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores
2. Keep adding CA trust certificates to the truststore ad nauseam.
# repeat for each cert-<x> curl -i -u "$USERNAME:$PASSWORD" -n -H "Content-Type: multipart/form-data" -F certFile="@cert-2.pem" "https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores/truststorewithmanycacertficates/aliases?alias=cert-<x>&format=keycertfile"
3. Validate the list of certificate aliases
curl -i -u "$USERNAME:$PASSWORD" -n https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/keystores/truststorewithmanycacertfica...
4. Refer to it in the VHOST configuration that enables and configure mTLS
curl -i -u "$USERNAME:$PASSWORD"-n -H "Content-Type: application/json" https://api.enterprise.apigee.com/v1/o/$ORG/environments/$ENV/virtualhosts -d ‘{ "name": "exco-vhost", "hostAliases": ["exco-test.apigee.net"], "port": "443", "ocspStapling" : "off", "baseUrl" : "https://api.exco.com", "SSLInfo": { "enabled": true, "keyStore": "freetrial", "keyAlias": "freetrial", "clientAuthEnabled": true, "trustStore": "truststorewithmanycacertficates" }, "propagateTLSInformation" : { "clientProperties" : false, "connectionProperties" : false } }'
See for details: https://docs.apigee.com/api-platform/system-administration/creating-keystores-and-truststore-cloud-u...
Better to use a reference to the truststore to avoid restart of routers when certificates are changed.
However, note that when a new certificate is added, even with a reference, a restart is required.
https://docs.apigee.com/api-platform/system-administration/working-references
I am currently working on the same problem statement, however adding new certificates requires restarting the router each time.
A better approach we are considering right now is to have clients send us CSRs which we use to generate certs for them. The root is obviously already added to trust store
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |