How to maintain and enforce own truststore?

guycrets
Participant IV

Edge does not validate backend certs. One must create a truststore to enforce validaton of the certs of your targets. As described in the docs. Apigee does not provide a default truststore.

So one has to maintain its own truststore(s). Via the Edge UI, it seems only possible to import certs one by one. Via the management API, certs can be uploaded in automated manner (we need to maintain the TrustStore in each of our 24+ org/env).

And finally, on should never forget to configure <TrustStore> in each and every TargetConnection.

<HTTPTargetConnection>
  <Properties/>
  <SSLInfo>
    <Enabled>true</Enabled>
    <TrustStore>ref://ref-to-truststore</TrustStore>
  </SSLInfo>

Questions:

  • Is there a suggested source with trusted root CA's? Or better export/import from OS or browser at regular intervals?
  • How to enforce that each and every proxy uses TargetConnection with SSLInfo and TrustStore?
  • Any best practices or experiences to manage TrustStores and enforce their use?
3 2 232
2 REPLIES 2

Guy, great question.

It feels to me that maybe the docs could be expanded to cover some of this, but I dunno.

Regardless, here are some of my recommendations.

source for certificates for root CAs:

The best source of root CAs is mkcert.org. I have mentioned mkcert on on the Apigee community previously. It exposes an API through which you can grab certs. I have built a tool that downloads those certs and then puts them into an Apigee Truststore. it's linked in that prior post, and here is another link.

For insuring that Every proxy does the right thing - static analysis in your CI/CD pipeline is what you want.

guycrets
Participant IV

Enforcing/obliging the use of a truststore by all developers in each and every Target connection remains a challenge.

But uploading major CA root certs from mkcerts.org (@Dino-at-Google: thanks!) into truststore is well feasible with the Management API. Below sample shell script.

#!/bin/bash
#
# Script to upload CA root certs into Apigee truststore for org-env
# Root CA certs are obtained from Mozilla using mkcert.org
# The name and alias of the cert are based on the Label, with spaces replaced by dashes
# 
# -u $USERNAME:$PASSWORD
ORG=your-org
ENV=your-env
STORE=truststore name
CERTSDIR=./certs/
USERNAME=
PASSWORD=

# Get list of all certs from mkcerts.org
#   retrieve Label value from it and remove quotes
curl https://mkcert.org/generate/ | grep "# Label" | sed 's/# Label: //g' | tr -d "\"" | while read CERT
do 
  echo "CERT  =" $CERT
  ALIAS=`echo $CERT | tr " " "-"`
  echo "ALIAS =" $ALIAS
  CERTFILE="$CERTSDIR$ALIAS.pem"
  echo "CERTFILE  =" $CERTFILE

  # Get certificate, remove lines with comments (#) and empty lines
  curl -d "[ \"$CERT\" ]" https://mkcert.org/generate/ | sed '/^#/ d' | sed '/^$/d' > $CERTFILE

  # Upload cert and create alias for it
  curl -X POST \
   -u $USERNAME:$PASSWORD \
   -F "certFile=@$CERTFILE" \
"https://api.enterprise.apigee.com/v1/organizations/$ORG/environments/$ENV/keystores/$STORE/aliases?alias=$ALIAS&format=keycertfile&ignoreExpiryValidation=false"

done