Layer7 API Management

  • Private Community
 View Only

 Trust root/intermediate certificate

Geethu John's profile image
Geethu John posted Oct 17, 2024 03:47 AM

Hi,

Is there any way i can configure gateway to use root/intermediate certificate for connecting to backend applications? So that , services are not disrupted when there is an update in server cert. Sometimes apps teams do not inform api gateway team of cert renewal.

Geethu

Thijs Bazuin's profile image
Thijs Bazuin posted Oct 17, 2024 04:20 AM

Hi John, 

Gateway to use root/intermediate certificate for connecting to backend applications: No, i don't think this is possible if you create a ssl connection its always with a certificate. If the backend applications verify the certificate on the chain, intermediate and root certificate then there won't be an issue if your gateway certificate is renewed as long as the root and intermediate keeps the same. 

If this issue is about the backend application certificate thats changed you can trust the intermediates and root certificate (mark it as trust achor) and even if they change their certificate but keep the intermediate and root the same the connection will be fine.

 If this is about client authentication you could add a cert.subjectDN comparison to your policy so if the cert.subjectDN is allowed, the root and intermediates are trusted then the client is allowed. In case of certificate change where te subjectDN and the root intermediates are trusted their isn't an issue when replacing the cert. 

Geethu John's profile image
Geethu John posted Oct 17, 2024 08:29 AM

Hi,

Thanks for your reply.

"If this issue is about the backend application certificate thats changed you can trust the intermediates and root certificate (mark it as trust achor) and even if they change their certificate but keep the intermediate and root the same the connection will be fine."

This is my issue. When the backend app cert is changed, they might not inform us, so api gateway throws error for not trusting it. So, I manually retrieve it from 'manage certificate'. I already have root and intermediate certs stored. May be i will verify the configurations.

can i confirm,  for root and intermediate cert

  • mark it as trust anchor. 
  • check 
    Outbound SSL Connections
    Signing Certificates for Outbound SSL Connections
    Signing Client Certificates

I have these same config for application cert too.

Geethu

Thijs Bazuin's profile image
Thijs Bazuin posted Oct 17, 2024 08:46 AM

Only Root is Trust anchor, no other checkbox,

Intermediate = NOT Checked Trust Anchor  +  Checked Signing Certificates for Outbound SSL Connections + Check Signing Client Certificates (if this intermediate is trusted by you to do so. 

Remove the application cert from truststore. 

Keep in mind that if the appliction certificate Subject is important for you, you should make some extra validation.  But if you trust all backends with a certificate signed by the trusted intermediate then this should work.