Layer7 API Management

Expand all | Collapse all

Certification chain

Jump to Best Answer
  • 1.  Certification chain

    Broadcom Employee
    Posted 09-03-2018 05:25 AM

    Hello,

     

    The customer described the following problem:

     

    We have one or two backend service providers who are constantly changing their SSL certificates.
    For just these routing URL's I want to trust a CA Cert and not "pin" the actual server cert itself.
    On Friday, for our Oracle RightNow resource I tried adding the new Oracle Root cert and making sure "Signing Certs" and "Trust Anchor" was checked, but when they did their change it seemed to have no effect and we started receiving empty payloads (as per usual with untrusted routes)

     

    Is it possible to trust via a certification higher up in the certification chain instead?

    Many thx in advance.

    ~Frank

     



  • 2.  Re: Certification chain
    Best Answer

    Posted 09-03-2018 12:22 PM

    Hi.

    You need to import the cert chain ( Root CA and Intermediate Certs ) in gateway, enable the Outbound SSL Connection  and set the Root CA as trust anchor.

     

    Certificate-Related Errors in Audits and Logs of t - CA Knowledge 



  • 3.  Re: Certification chain

    Posted 09-04-2018 09:54 AM

    CA API Gateway requires us to maintain the intermediates in addition to the root for a TLS connection? Managing intermediates is more difficult and in other apps we can simply trust the Root CA - the client returns the chain as part of TLS negotiation, walk it up and verify it chains up to the Root CA; there is no need to maintain the intermediates which may change every couple of years.



  • 4.  Re: Certification chain

    Posted 09-04-2018 03:15 PM

    If you mark the root CA as a trust anchor and it's configured correctly for your use-case, then you won't need to have the intermediates involved as it trusts the root CA instead.



  • 5.  Re: Certification chain

    Posted 09-04-2018 04:17 PM

    Great, thanks for the clarification. Saw the intermediates mentioned and got concerned since we are starting to look at a similar setup for routing as the OP with wanting to trust only the Root CA list.