What are the Certificate Authorities (CA) automatically trusted by Apigee?

I could see here that Verisign & Symantec are the CAs that is automatically trusted by Apigee.

For all I know, if I have mTLS enabled and I passed a certificate signed by either of this two CAs, it will work even if I did not specifically uploaded their CA cert in my truststore right?.

But what will happen if my certificate was signed by another not well known CA like maybe Digicert?. What will happen?, will it proceed or do I need to add their CA cert in my truststore?.

2 5 534
5 REPLIES 5

Not applicable

Apigee supports all CA certificates. You need to add a full certificate chain provided by the CA. Then it will be able to establish mTLS.

Apigee supports all CA certificates.

This is not true. As indicated in the documentation link cited in the question, Apigee states that it trusts CA Certs by "trusted CAs" but does not itemize the specific CAs.

The question seems to be, "OK, which specific CAs does Apigee trust?" and it's a good question.

You have a few different questions in your post. Let me try to answer some of them.

First, in the title

What are the Certificate Authorities (CA) automatically trusted by Apigee?

The list is not published. There is a defect asking Apigee to rectify that: b/163357787

if I have mTLS enabled and I passed a certificate signed by either of this two CAs, it will work even if I did not specifically uploaded their CA cert in my truststore right?.

Not quite. X.509 certificate validation does not work that way. I have written a description for how it works here. In short, when the TLS peers do the handshake, they exchange certificate lists. The receiver of the cert list validates by checking that the certs in the list all belong to a sequential chain, and that the last link in the chain is signed by a trusted root, "like VeriSign or Symantec" as the Apigee documentation currently (2020 August 13) says. There are other trusted roots, but Apigee hasn't documented them. There's an open defect asking Apigee to document them. ref: b/163357787

what will happen if my certificate was signed by another not well known CA like maybe Digicert?. What will happen?, will it proceed or do I need to add their CA cert in my truststore?.

We don't know , because we don't know the list of trusted CAs. Until Apigee documents the list, You must try it to see.

Hi Dino,

Just as topic starter I'm wondering as well which Certificate Authorities are trusted by default in Apigee. Because this topic is already several months ago created I was wondering if any progress had been made in the meantime (ref: b/163357787).

Hi Maarten, thanks for your followup. Sadly, I don't have an update on this ticket. I just checked and there has been some discussion but the documentation issue has not been resolved. I will escalate.