Hoping someone can provide guidance... I have a API that I need to route to, but their certificate seems to change frequently (or maybe they have different certs on different services). As a result, my routing calls fail.
What changes do I need to make to support something like this? How should I go about importing their certificates if I can't anticipate what they will be?
If the backend isn't a Self Signed Cert and has had a Cert Authority sign their certs, then you can trust the signer. Usually this guy is valid for a few more years compared to the server certificate itself.
Make sure the signing cert is in your trust store ( i.e. 'Manage Certficiates' ) and make sure in the 'OPTIONS' that this guy is used for 'Outbound SSL Connections' and in the 'Validation' tab, that this 'Certificate is a trust anchor'.
What this means is, that any cert that is immediately signed by this Trust Anchored Cert, will automatically be trusted, as we trust the signer.
So, going further, any cert/private key that is deployed on your backend will be trusted, as long as those certs were signed via the signing cert we configured to be a 'Trust Anchor'.
hope this helps,
We have the following procedure in the MAG to deal with social login providers who change their certificates. You need to set cluster-wide properties. These properties configure the MAG to accept any certificate signed by well known CA's (Certificate Authorities).
This is an optional procedure.
If you configure MAG to accept any certificate signed by well known CA's (Certificate Authorities), you do not have to import certificates.
Providers change their ssl certificates frequently. To avoid connection issues, set the following cluster-wide properties:
To set cluster-wide properties:
Hope this helps!