Two way TLS with Postman Client

Thanks for reading my request.

I am trying to set up two way TLS on Apigee Edge. I have created a virtual host in apigee and a truststore. Right now, I am using the built-in trial certificate for the virtual host. I have configured the truststore through a ref and I have it enabled on the vhost in apigee UI.

I have created a self-signed certificate using openssl and I uploaded the CRT to the truststore. The CN and SAN for the cert is the fully qualified domain name for my local machine.

In postman, I have configured the certificate for the url used by the Apigee vhost and I used the same CRT as is in the Apigee truststore.

When I send a POST with the vhost url from Postman to Apigee, I get a 400 along with the following HTML:

<html>
<head>
 <title>400 No required SSL certificate was sent</title>
</head>
<body>
 <center>
 <h1>400 Bad Request</h1>
 </center>
 <center>No required SSL certificate was sent</center>
 <hr>
 <center>server</center>
</body>
</html> 

But Postman console does show that a certificate is included, under "Client Certificate".

I have captured the exchange between the postman client on my machine and the Apigee vhost on wireshark and I see:

1. [from my localhost] Client Hello

2. [from the vhost] Server Hello.

3. [vhost] Certificate

3. [vhost] Server Key Exchange, Certificate Request, Server Hello Done

4. [localhost] Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message

5. [vhost] New Session Ticket, Change Cipher Spec, Encrypted Handshake Message

6. [localhost] Application Data

7. [vhost] Application Data

8. [vhost] Encrypted Alert

After this, I get FINs and RSTs

Is there something that I'm missing? I'm hoping that since both products are Alphabet/Google that someone has been down this path before. Please share what has worked when setting up two way TLS between a Postman client and Apigee vhost.

Thanks again for taking the time to read this. I'd appreciate any suggestions.

Solved Solved
0 7 13.9K
1 ACCEPTED SOLUTION

Did you include the KEY file on postman when adding the cert? I get a 400 No required SSL certificate was sent when the KEY file is missing. The key file should be the private key that was used to generate the certificate. You add it on the same page where you add the CRT file in Postman. Both key and cert should be added.

View solution in original post

7 REPLIES 7

Did you include the KEY file on postman when adding the cert? I get a 400 No required SSL certificate was sent when the KEY file is missing. The key file should be the private key that was used to generate the certificate. You add it on the same page where you add the CRT file in Postman. Both key and cert should be added.

Hello Nathan,

That has helped. I added both the crt and the key files to postman with only the crt file in the truststore on apigee. I now get a 400, but the response text has changed. The wireshark exchange is similar to what I previously explained. I will look here for solutions.

<html>
<head>
 <title>400 The SSL certificate error</title>
</head>
<body>
 <center>
 <h1>400 Bad Request</h1>
 </center>
 <center>The SSL certificate error</center>
 <hr>
 <center>server</center>
</body>
</html> 

I just ran across this here. I bolded the text in the bullet point:

About keystores/truststores and virtual hosts for Edge Cloud

The process of creating keystores/truststores for Edge Cloud requires that you follow all of the rules about using virtual hosts. For example, with virtual hosts in the Cloud:

  • Virtual hosts must use TLS.
  • Virtual hosts can only use port 443.
  • You must use a signed TLS cert. Unsigned certs are not allowed for use with virtual hosts in the Cloud.
  • The domain name specified by the TLS cert must match the host alias of the virtual host.

Edit: That specific requirement "Unsigned certs are not allowed for use with virtual hosts in the Cloud." may refer to the keystore configuration vs the truststore configuration.

Certificates and certificate chains in the Truststore need to terminate with a root cert (a cert that is self-signed). Using a self-signed cert you generated fulfills this requirement of being signed by itself. I have tested using self-signed certs on the cloud before, so it is possible to use them for testing purposes. If your self signed cert was generated as part of a chain (multiple certs with a root cert) then you'll want to add the entire chain to your Truststore.


You can refresh your truststore reference using the management API by sending a

GET https://api.enterprise.apigee.com/v1/organizations/{org_name}/environments/{env_name}/references/{re...

to get your reference information and an update request using the info from the GET request:

PUT https://api.enterprise.apigee.com/v1/organizations/{org_name}/environments/{env_name}/references/{re...

Request Body
{ "name":"{ref_name}", "refers":"{entity}", "resourceType":"{entity_type}" }

See the "References" section under: https://apidocs.apigee.com/docs/


This will just make sure that Apigee is reading any changes you've made to the truststore you are referencing.

Otherwise I'd double check your configuration to make sure the proxy is referencing the correct virtual host and making sure that the cert in the truststore matches the cert you are sending. And that the keyfile is the key used to generate that cert.

Thank you! I didn't realize that the reference needed to be refreshed. I tested this by creating a separate keystore to use as a truststore. I put the certificate only into that truststore and created a reference for it. Then I switched the reference for the two way TLS truststore in the virtual host. Now it works. When I send a message from Postman with the certificate and key set up for that domain, I can see the distinguished name for my self signed cert in the Certificate Request TLS message when analzing the traffic using wireshark. I can also see the message going through the policies on the proxy.

Thanks, again!!

Hi,

Can you please let me know I am getting client.cn as null although I am sending SSL certificate pem file through postman and I can see network TLS showing showing common name on postman, but throwing null on APIGEE. I don't know what I am doing wrong. Is there any documentation on how to send certificates to virtual host to read from SSL certificate details.

Regards,

You need to ask a new question.  This thread is from 2 years ago and is on a completely different topic.