The customer described the following problem:
We have one or two backend service providers who are constantly changing their SSL certificates. For just these routing URL's I want to trust a CA Cert and not "pin" the actual server cert itself. On Friday, for our Oracle RightNow resource I tried adding the new Oracle Root cert and making sure "Signing Certs" and "Trust Anchor" was checked, but when they did their change it seemed to have no effect and we started receiving empty payloads (as per usual with untrusted routes)
Is it possible to trust via a certification higher up in the certification chain instead?
Many thx in advance.
You need to import the cert chain ( Root CA and Intermediate Certs ) in gateway, enable the Outbound SSL Connection and set the Root CA as trust anchor.
Certificate-Related Errors in Audits and Logs of t - CA Knowledge
CA API Gateway requires us to maintain the intermediates in addition to the root for a TLS connection? Managing intermediates is more difficult and in other apps we can simply trust the Root CA - the client returns the chain as part of TLS negotiation, walk it up and verify it chains up to the Root CA; there is no need to maintain the intermediates which may change every couple of years.
If you mark the root CA as a trust anchor and it's configured correctly for your use-case, then you won't need to have the intermediates involved as it trusts the root CA instead.
Great, thanks for the clarification. Saw the intermediates mentioned and got concerned since we are starting to look at a similar setup for routing as the OP with wanting to trust only the Root CA list.