This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Accessing Certificate info of Target Server in Two way mTLS

Posted on 04-28-2020 03:53 AM
sandeepabhyanka
New Member
Reply posted on --/--/---- --:-- AM

We have a requirement to extract target server certificate presented at runtime in a two-way mTLS configuration.

I understand we have some variables available at runtime as defined ( here : https://docs.apigee.com/api-platform/reference/variables-reference#target)

But we are specifically looking at validating below points :

  • Certificate signature is valid for certificate and its entire CA chain
  • Certificate did not expire for certificate and its entire CA chain
  • Certificate was not revoked for certificate and its entire CA chain
0 2 327
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Apigee validates that target endpoints present a trusted, valid Certificate. Apigee validates the certificate chain, to a trusted root that you have configured in your Truststore. Apigee also checks the expiry.

For revocation, I don't believe the Apigee southbound connection verifies OCSP assertions.

In the next-generation SaaS release, expected to arrive this year, You'll be able to use OCSP-stapling on the certs for the respective peers used on the target endpoints.

0 Likes

Posted on --/--/---- --:-- AM
sandeepabhyanka
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks Dino for the confirmation.

We have on-prem setup and I will look into how we can put in place OCSP assestions at runtime.



0 Likes