Currently we are using in nuilt certs for APIGEE Edge, Now that we are trying to set jup out own certs, Is there a way where we can configure auto renewal certs in APIGEE Edge, In our case we want to assign these certs for virtual hosts.
As we expect to maintain 0 downtime during cert renewals, is there a way on how to set up auto renewal certs in APIGEE edge?
Hey @Krskreddy ,
Unfortunately, Apigee Edge does not have a built-in automatic certificate renewal feature.
You have to manage all the certificates manually, including ensuring their expiration and revocation statuses.
@nmarkevich does APIGEE Hybrid or APIGEE X support it?
Apigee X doesn’t use virtual hosts like Apigee Edge. Instead, it utilizes environments and environment groups (details here). Apigee Hybrid use the virtual host concept, but neither platform supports native automatic certificate renewal.
You won’t believe it, but I was grappling with the same question yesterday! I was discussing mTLS configuration with my team, and we were exploring the idea of using unique certificates for each proxy within a specific group to establish mTLS between these proxies and the target for additional authorization. However we quickly realized that managing so many individual certificates manually would be a logistical nightmare and could easily lead to misuse. So, we had to put that plan on hold for now.
I guess you could say environments and environment groups in X are “instead of” Virtual Hosts in Apigee Edge. But they aren’t exactly the same function. One important difference: Environments and environment groups have no TLS configuration; they are not involved in TLS negotiation. They do not act as a TLS termination point, and you do not get to configure a cert or a key there, or a subset of ciphersuites, etc.
In Apigee X, the TLS termination is going to be performed by a Google Cloud Load Balancer - either an Internal Load Balancer (ILB) or an External Load Balancer (sometimes called XLB). THAT is where you can specify the TLS configuration, and there, YES, you can tell Google Cloud to manage the certificates and cert renewal for you, on some specific types of external load balancers. (See details here) To set this up, you need to prove that you own the domain for which the cert will be issued. But after that, Google will manage the certs for you and you don’t need to do anything else. More on Google-managed certs in load balancers, here.
Impressive! Can something similar be achieved for certificates where Apigee acts as a client (e.g. for connections between Apigee and target systems)?
I don’t know the answer to that! I’ll ask my colleagues.