The general guidance is to install only root CAs (not the entire chain) in the truststore, and configure TLS peers to transmit their certificate chains (by placing the right certs in their KEYstore).
Are you recommending we install the root cert as a separate entry in the trust store or install the cert and the root cert together in 1 file without the intermediate cert?
a best practice therefore, is not to update existing truststores with new certs etc, and then enable/disable TLS. If you’re going to be modifying TLS setups, then you should use REFERENCES to truststores.
I’m not clear on what the recommendation is here. We are using references to link the virtual host to the trust store and we trigger the Invalid certificate chain error when attempting to enable 2-way TLS while an invalid cert is in the trust store. If I follow the steps above up to step 5 then I get no errors. It seems that this procedure (1-5) allows me to add invalid certs to the trust store in use because Apigee only validates the cert chains while attempting to enable the 2-way TLS. To be more specific in the UX enabling Client Authorization as shown below:
It seems like there should be a procedure for adding a new client certificate to a truststore in use that validates that the new certificate is acceptable and keeps enforcement of 2-way TLS on. Other than cycling the 2-way TLS setting I don’t see one in the Apigee admin interface.