We have a certificate used for southbound client authentication (mTLS or mutual authentication) and it’s close to expire. It is into a TLS Keystore in Apigee X. We loaded it into Apigee using a .p12 file with a password. The new certificate which will replace the old one is also a .p12 file with a password.
When we try to upload the new certificate using the “Update Certificate” option, we don’t see any place to put the password of the new certificate. We can only put the new certificate file. If we do that, we receive an error saying “failed to parse x509 certificate”.
Below you can see some screenshots of the process:
It says “You can upload a new PEM file” but the original certificate was not a .pem file, it was a .p12 file, and so is the new file.
If we try to update the certificate using Maven, it just skips the certificate saying it already exists. The only way we found to update a p12 certificate in Apigee X was modifying the Target Server so it doesn’t use the reference to the KeyStore, then deleting the reference, the keystore, and the certificate, so we can upload it cleanly.
Is this intended? Should we convert it to PEM to be able to update it?
Hello @JAAO, we saw your question and wanted to let you know we’re keeping it on our radar. We’ll also invite others in the community to pitch in and share their thoughts
Thank you. We have made more tests, it seems that if we convert the new certificate to .pem, we can update the old one only if the private key is the same (it’s not our case).
Also we can not delete the certificate and upload the new one, the only option we see in Apigee X is delete the Alias, but we can not do that because it is used in a Reference, so basically we have to do all the process I said before: edit Target Server, delete reference, delete keystore and then create everything again and re-edit Target Server.
Using maven we have seen that it was skipping the certificate because we were using the “async” option, using “sync” it fails due to the same reason, it can not change the keystores because they are being used in Target Servers.
Hello, we recently migrated from Apigee Edge for private cloud to Apigee X, and we thought that we could update the certificate directly, as we did in Edge, since there is an option called “Update Certificate”. But the documentation you linked says that’s not possible.
The procedure of creating a new keystore is something we were considering as a workaround, but we will take it as the official way to update certificates in Apigee X from now on.
