Layer7 API Management

Unlike browsers the API Gateway does not implicitly trust anyone's certificate (not even itself). In order to route to an HTTPS endpoint, some level of trust in the certificate presented by the server must be configured in the Gateway. The simplest way to do this is to use the Manage Certificates interface to load the endpoint certificate directly and check the "Outbound SSL Connections" box in the Options tab for the certificate. This is how explicit trust is declared for a certificate in the Gateway, and I am assuming this is what was done for it to work in the first place. Unfortunately this will not "survive" when the server certificate changes at the server (either it expires and is replaced or they have some kind of rotating certificate configuration) and will result in the type of errors you are seeing, so a better option is to declare implicit trust in a certificate by loading a certificate from higher up its chain.

There are two approaches to this:

1. Load an issuer certificate from higher up the chain and declare it as a trust anchor. One could go all the way up to the root authority and trust anything anywhere in their chain. For example, the chain for graph.microsoft.com is:

• depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = graph.microsoft.com
• depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 02
• depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2

In this example the "CN = graph.microsoft.com" certificate is the actual server certificate, which was signed by the "CN = Microsoft Azure TLS Issuing CA 02" cert, which in turn was signed by the "CN = DigiCert Global Root G2" cert, which is a self signed root authority. If you load up your browser and look at the list of authorities, you will find the "CN = DigiCert Global Root G2" cert already installed. When you access graph.microsoft.com it will present the first two certs as its chain, and since you have the root authority already in there and trusted, the chain is valid and it works.

2. There is an unpublished cluster-wide property that will enable *all* of the authorities that are part of the Java trust store that are stored in $JAVA_HOME/jre/lib/security/cacerts. It is unpublished for a reason - we don't encourage its use in lieu of encouraging tighter control on your trust chains.

So if a server is rotating certificates you should find the lowest common denominator certificate in the chain, load that into your trusted certs, check the "Signing Certificates for Outbound SSL Connection" usage option and mark it as a trust anchor.

Please let me know if this helps solve what you are seeing.

Unlike browsers the API Gateway does not implicitly trust anyone's certificate (not even itself). In order to route to an HTTPS endpoint, some level of trust in the certificate presented by the server must be configured in the Gateway. The simplest way to do this is to use the Manage Certificates interface to load the endpoint certificate directly and check the "Outbound SSL Connections" box in the Options tab for the certificate. This is how explicit trust is declared for a certificate in the Gateway, and I am assuming this is what was done for it to work in the first place. Unfortunately this will not "survive" when the server certificate changes at the server (either it expires and is replaced or they have some kind of rotating certificate configuration) and will result in the type of errors you are seeing, so a better option is to declare implicit trust in a certificate by loading a certificate from higher up its chain.

There are two approaches to this:

1. Load an issuer certificate from higher up the chain and declare it as a trust anchor. One could go all the way up to the root authority and trust anything anywhere in their chain. For example, the chain for graph.microsoft.com is:

• depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = graph.microsoft.com
• depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 02
• depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2

In this example the "CN = graph.microsoft.com" certificate is the actual server certificate, which was signed by the "CN = Microsoft Azure TLS Issuing CA 02" cert, which in turn was signed by the "CN = DigiCert Global Root G2" cert, which is a self signed root authority. If you load up your browser and look at the list of authorities, you will find the "CN = DigiCert Global Root G2" cert already installed. When you access graph.microsoft.com it will present the first two certs as its chain, and since you have the root authority already in there and trusted, the chain is valid and it works.

2. There is an unpublished cluster-wide property that will enable *all* of the authorities that are part of the Java trust store that are stored in $JAVA_HOME/jre/lib/security/cacerts. It is unpublished for a reason - we don't encourage its use in lieu of encouraging tighter control on your trust chains.

So if a server is rotating certificates you should find the lowest common denominator certificate in the chain, load that into your trusted certs, check the "Signing Certificates for Outbound SSL Connection" usage option and mark it as a trust anchor.

Please let me know if this helps solve what you are seeing.

Unlike browsers the API Gateway does not implicitly trust anyone's certificate (not even itself). In order to route to an HTTPS endpoint, some level of trust in the certificate presented by the server must be configured in the Gateway. The simplest way to do this is to use the Manage Certificates interface to load the endpoint certificate directly and check the "Outbound SSL Connections" box in the Options tab for the certificate. This is how explicit trust is declared for a certificate in the Gateway, and I am assuming this is what was done for it to work in the first place. Unfortunately this will not "survive" when the server certificate changes at the server (either it expires and is replaced or they have some kind of rotating certificate configuration) and will result in the type of errors you are seeing, so a better option is to declare implicit trust in a certificate by loading a certificate from higher up its chain.

There are two approaches to this:

1. Load an issuer certificate from higher up the chain and declare it as a trust anchor. One could go all the way up to the root authority and trust anything anywhere in their chain. For example, the chain for graph.microsoft.com is:

• depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = graph.microsoft.com
• depth=1 C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 02
• depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2

In this example the "CN = graph.microsoft.com" certificate is the actual server certificate, which was signed by the "CN = Microsoft Azure TLS Issuing CA 02" cert, which in turn was signed by the "CN = DigiCert Global Root G2" cert, which is a self signed root authority. If you load up your browser and look at the list of authorities, you will find the "CN = DigiCert Global Root G2" cert already installed. When you access graph.microsoft.com it will present the first two certs as its chain, and since you have the root authority already in there and trusted, the chain is valid and it works.

2. There is an unpublished cluster-wide property that will enable *all* of the authorities that are part of the Java trust store that are stored in $JAVA_HOME/jre/lib/security/cacerts. It is unpublished for a reason - we don't encourage its use in lieu of encouraging tighter control on your trust chains.

So if a server is rotating certificates you should find the lowest common denominator certificate in the chain, load that into your trusted certs, check the "Signing Certificates for Outbound SSL Connection" usage option and mark it as a trust anchor.

Please let me know if this helps solve what you are seeing.