I have to use mTLS when invoking a specific target service from Apigee. In other words, Apigee will send a client certificate to that server, in addition to validating the server certificate.
The server team sent us the client certificate we have to use. It is a self-signed certificate in .p12 format, with a password. When I use it with curl, it works OK and I can communicate with the backend service. But when I upload that certificate to Apigee, configure the Target Server, aliases etc. and test it, I get an error “SSL Handshake failed null”.
I checked the configuration and is the same than another working Target Server with mTLS enabled, the only difference I see is the client certificate, which is not signed by a trusted entity. But it is a client certificate for southbound traffic, so I don’t see why should Apigee validate that…
My question is: Does Apigee X allow the use of self-signed client certificates for southbound traffic?
Also, I have another doubt. I downloaded the generated .pem file from the KeyStore in Apigee (the original is p12 but it seems that Apigee transforms it to .pem), just for testing, and when I try to use it with curl, it asks me for a private key… Is there any way of getting that private key from Apigee X?
Can you please provide more details specifically around “upload” and “configure”? Be specific.
What did you do? How did you configure it? Show the Target Server configuration. Explain what you did with keys and certs. Be explicit.
As far as I know, yes.
Apigee uses the cert in the TrustStore to validate the upstream partner.
Apigee uses the key in the keystore to authenticate itself.
The .p12 format usually contains the key and the cert. Did you upload that .p12 file into Apigee, and if so, can you explain specifically how you did that?
I didn’t enter into details because I’ve made exactly the same with other certificates and it worked, so I don’t think the problem is in the way I’m doing it… Anyway, here is the process.
I go to the web interface of Apigee X, click “Environments”, select my environment, go to “TLS Keystores” and click “Create Keystore”. I select a name and create it. Then I click the “Create alias” button and fill in this fields:
For the TrustStore I follow the same procedure, except about the certificate details, because this is a .pem so I select “Certificate Only”, anyway I already tested to not configure any TrustStore in the Target Server which should be the same than the -k option in curl, and doesn’t work anyway, so I don’t think there is a problem with the TrustStore.
Then I create references for the keystores (sorry but I am not allowed to upload more than 3 images so I deleted this one, because I think is the least useful).
As I said this is the same we have done with other Two-way TLS connections and those worked, so I thought that maybe the problem was related to using a self-signed client certificate, because if I don’t select any TrustStore, I get the same error.
Please tell me if you see anything wrong in this configuration. Thank you very much.
Also I have another doubt: how much time should I wait for the changes to be applied? I remember that we had to restart Message Processor in Apigee Edge, but we can not do that in Apigee X…
Finally we agreed with the backend team to use another client certificate, also self-signed but generated by ourselves. It worked, so I guess that there is no problem with self-signed client certificates in Apigee X, and the problem was in the specific client-certificate generated by our backend partners.
Anyway it would be great if we could resolve the following doubts:
If we upload a .p12 to Apigee in the way I explained in the previous post, and then download it from Apigee, we get a .pem file. If I try to use that .pem client certificate with curl, it fails saying that a private key is required. If I don’t have the original .p12 file and the pass, this means I can not use the certificate with curl for testing purposes. Is there any way to get the required private key from Apigee?
We have seen that we can not update a p12 client certificate without deleting it. There is an “Update” button, but it doesn’t work. It seems that it’s designed to work only with .pem certificates. We can not update it using maven either. Is this a bug?
