Cannot create Virtual host with certificate uploaded in Keystore, signed by internal CA

Google Cloud Apigee
1

@Anil Sagar Here our need is to create mutual TLS in Apigee Edge. We need a new virtual host with our own certificates to be created in prod environment for making this TLS communication. We have an internal CA which is not a external verified CA. We have created a Keystore in Apigee and uploaded Private Key and Certificate (signed by our root CA private key) in Apigee Edge Keystore. Since our CA is not a verified CA, we have also created a Truststore and uploaded the root CA cert in the Truststore.

Now while creating virtual host using the keystore and truststore, it is giving the following error:

{

“code”:“messaging.config.beans.VirtualHostCACertValidationError”****,

“message”:“Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be not be trusted by java trust anchors or CAs”****,

“contexts”:[]

}

We have tried both the options - one with API call and other from Edge portal for creating keystores/truststores. With API we uploaded certificate JAR file and from portal we uploaded the private key and certificate separately. But getting the same error in both cases. Any help on this topic from Apigee SME would be highly appreciated.

Regards,

Bhaskar

2

Hope you have followed the doc here

https://docs.apigee.com/api-services/content/keystores-and-truststores#aboutkeystoresandtruststores-abouttheformatofthecertandkeyfiles

to capture the cert chain for your self-signed certs. Your internal CA and any intermediate certs needs to be part of the keystore.

You can use openssl command like the following to verify the cert chain before uploading it to Apigee.

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

You can use a command like the following to make a call with the client cert.

curl -v -k -E ./certificate.pfx:password [http://url](http://url)
3

Hi Madhan,

Thanks for your response. I have verified the cert chain using openssl command you suggested, and its shows ‘OK’, so I believe my cert chain is fine. Is there any restriction of creating VHOST? Do I need to contact Apigee support for creating new VHOST?

Regards,

Bhaskar

4

@bhaskar.basu - Did you mange to resolve above mention issue?

I am having a similar issue so I am interested in how did you resolve the above issue. Any help is appreciated.

Thank you !

5

If you are talking about Cloud, according to the official documentation you cannot have self-signed certificate:

https://docs.apigee.com/api-platform/fundamentals/configuring-virtual-hosts-cloud

"You can only create a virtual host that supports TLS over HTTPS. You must have already created a keystore, and optionally a truststore, containing your TLS cert and key.

You must have a cert signed by a trusted entity, such as Symantec or VeriSign. You cannot use a self-signed cert."