Layer7 API Management

 View Only
  • 1.  Can I restrict the scope of a Trusted Certificate to a defined set of remote addresses?

    Posted Sep 08, 2017 12:54 PM

    Let's say I want to import our internal root CA in the trust store of the API Gateway, which would make a lot of sense in terms of certificate management, and that I want to be 100% certain that it is trusted only for internal network addresses. How can I do that?

     

    For example, say I take our internal root CA and sign a certificate that I use on a public server outside of our corporate network, and that I want the API Gateway to automatically refuse to trust it because it's a public address, is there a way to do this?



  • 2.  Re: Can I restrict the scope of a Trusted Certificate to a defined set of remote addresses?
    Best Answer

    Broadcom Employee
    Posted Sep 12, 2017 10:04 AM

    It doesnt seem this can be done on a certificate level.

    But I dont see why it couldnt be done at a policy level.

    You can use a global message recieved fragment (pre-policy)

    Restrict Access to IP range

    And Possibly a combination of the Extract Attributes from Certificate dependent on use case. Or a combination of other Assertions possibly evaluating all header values. 

     

    But I think the only way you can do what you want is having a message fragment for the recieved message to do some restrictive verification's on inbound. 

     

    I hope this helps.



  • 3.  Re: Can I restrict the scope of a Trusted Certificate to a defined set of remote addresses?

    Posted Sep 13, 2017 09:11 AM

    Very interesting, this "might" do what we need in the end, but not exactly how we pictured it. I'll study this further, thanks for the answer!