This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Mutual TLS to backend server with Self-signed Cert

Posted on 10-10-2019 12:35 AM
etienned
New Member
Reply posted on --/--/---- --:-- AM

Hi,

I am currently testing Mutual TLS between Apigee Edge and a backend with a self signed certificate. The self-signed certificate is just for testing and and a signed cert will be used in Prod.

So I have configure the Keystore with the Server cert and key and also created a truststore with only the server cert. When testing the certs in the UI I keep on getting the following error: Error: Invalid Truststore. Unable to find valid certification path to requested target

I have done a couple of mutual TLS integrations to backend with CA signed Certs, but this is the first with a Self-signed cert.

How do you need to setup the Truststore for this to work? To generate the selfsigned cert i used the following command: openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365

1 2 696
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I am not specifically familiar with the particular error you're seeing: eg, "Invalid Truststore".

This message suggests that the truststore itself is not valid. What might cause this?

Maybe the cert you've loaded into the truststore is not a valid x509v3 cert? Maybe it's misformatted.

Can you verify for me how you loaded that cert.pem into the Truststore? Show me what you did?

And can you show me what the Admin UI shows you when you view that truststore?

0 Likes

Posted on --/--/---- --:-- AM
etienned
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hi Dino,

When creating a Keystore, I used two methods.

Method1: Used the Self-signed dropdown item and left everything default with a CommonName of *.something.pro-eu-west-1.openshiftapps.com

When I run the test function on the UI I get the error mentioned

Method2: I selected certificate only and uploaded the server.crt that was generated from the following command: openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

When I do a openssl s_client -connect -showcerts <url:port> I have noticed the following:

--- 
Server certificate 
subject=/CN=*.sometext.pro-eu-west-1.openshiftapps.com 
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 
--- 
No client certificate CA names sent 
Peer signing digest: SHA512 
Server Temp Key: ECDH, P-256, 256 bits
--- 
SSL handshake has read 3249 bytes and written 302 bytes 
Verification error: unable to get local issuer certificate 
---

When I view from the UI

9275-capture1.jpg

When I run a test on that Keystore, I get the following:

9276-capture2.jpg

Just to verify, just to make sure I didn't make a rookie error, I have created a Keystore with the cert and key that is required for the Backend server, because it is a self-signed cert I had to create a Truststore and add the self-signed cert to it. I then tested the connection from the truststore.

0 Likes