Navigating the Industry Shift in Client Authentication for Apigee mTLS

Google Cloud Apigee Knowledge Hub
,
1

The secure foundation of server-to-server communication is facing a mandatory industry shift: most major Public Certificate Authorities (CAs) are getting out of the business of issuing publicly trusted certificates for use in Client Authentication. This change is not a technological one, but rather a shift in responsibility, forcing organizations to adapt their Public Key Infrastructure (PKI) models.

If you are currently leveraging a Public CA to sign the client certificates used for Mutual TLS (mTLS) within an API Gateway environment like Apigee, you are now in a difficult position.

The Industry Shift: The Removal of the Client Authentication EKU

The source of this transition is a policy change driven by major CAs, including Sectigo and DigiCert, and supported by policy bodies like Google Chrome. These CAs are phasing out the Client Authentication Extended Key Usage (EKU) from publicly trusted SSL/TLS certificates.

The Technical Impact on mTLS

The removal of the EKU directly impacts the functionality of mTLS:

  • Critical Requirement: The Client Authentication EKU (OID 1.3.6.1.5.5.7.3.2), often referred to as clientAuth, is a critical requirement for a digital certificate to be accepted by a server to authenticate a client during a TLS handshake.

  • Service Interruption Risk: If a client certificate is renewed or re-issued under these new rules without the necessary clientAuth EKU, the Apigee Gateway’s underlying ingress infrastructure (e.g., Envoy) will reject it during the TLS handshake. This results in dropped requests and a loss of service for those clients.

  • Mandatory Deadline: Reliance on root CAs to bind public keys with domain identifiers for client authentication will no longer be possible by mid-June 2026.

The Operational Burden: From Delegated Trust to Internal Management

Organizations essentially have two choices to maintain service continuity:

  • Rely on Self-Signed Certificates: Ask each API consumer to self-sign their certificates and manually add them to your trust store. Managing hundreds of individual self-signed certificates in your trust store is not recommended due to the significant operational burden and risk of service interruption.

  • Become your own Private CA: Establish a Private CA to take full control of the certificate policy and issue compliant Client Authentication certificates to your API consumers. This is the more strategic and scalable path.

This shift forces organizations to move from a system where trust was delegated to Public CAs to an internally managed Private PKI system, significantly increasing operational complexity.

Aspect of Burden Previous Reliance (Public CA Model) New Requirement (Private PKI/Self-Signed)
Trust Store Scale Apigee only needed to store a few Public CA root certificates. If clients self-sign certificates, the Apigee trust store must include every client’s root, or worse, every leaf certificate. This is a major concern when dealing with a large volume of certificates.
Certificate Rotation No change was needed on Apigee’s side when a client rotated keys, as the gateway trusted the Public CA’s constant root certificate. Authentication must rely on the public key itself or the fingerprint of the entire leaf certificate. Since key rotation changes this fingerprint, it creates an additional change burden for Apigee with every key update.

Intermediate Solution: Private PKI for mTLS Continuity

The most direct and immediate strategic path to guarantee mTLS continuity is to establish and manage a Private Certificate Authority (Private CA). This approach allows the enterprise to control the certificate policy and explicitly include the necessary clientAuth EKU.

Key to Sustainable Private PKI Implementation

To avoid the operational burden of managing thousands of individual client certificates, the Private CA must be set up to leverage trust chains:

  1. Trust Store Optimization: The Apigee trust store should only contain the Private CA certificate (and any intermediate CAs), which are rotated far less frequently than client certificates.

  2. CSR-based Issuance: The client creates a Certificate Signing Request (CSR) that the Private CA signs, issuing a compliant certificate.

  3. Operational Benefit: With this approach, nothing changes on the Apigee side when individual client certificates expire and are renewed, as the gateway continues to trust the Private CA root certificate.

Accelerating Migration with Managed Services

Managed CA services dramatically simplify and secure the Private PKI process:

  • Google Cloud Certificate Authority Service (CAS): CAS is a highly scalable and available service designed to simplify and automate the management of private CAs. It allows a private CA to be set up in minutes. CAS is enterprise-ready, offering protection for private CA keys using FIPS 140-2 Level 3 validated Cloud HSMs.

  • CAS Documentation: For technical guidance on establishing a Private CA and creating certificates from a CSR, refer to the documentation samples.

  • Automation: Utilize standard ACME (RFC 8555) protocols and the Private CA’s RESTful APIs to automate the issuance, validation, and deployment of new client certificates. Solutions exist for various deployments, including cert-manager in Kubernetes clusters, and libraries for direct developer integration.

Long-Term Solution: Modernizing Authentication with DPoP

For organizations seeking maximum long-term operational efficiency and a modern security architecture, Demonstrating Proof of Possession (DPoP), defined in RFC 9449, is a powerful alternative.

DPoP shifts security from the TLS layer to the application layer. This approach eliminates the headaches of X.509 client certificate rotation by cryptographically binding an access token to a client’s private key using a specialized JSON Web Token (JWT). This can be a “preferred target state” using the change as an opportunity to “leap-frog” to a modern authorization model.

DPoP Implementation in Apigee

DPoP is fully implementable using Apigee’s existing policy toolkit. The flow involves three parties: the Presenter, the Issuer, and the Recipient.

DPoP Step Apigee Implementation Details Operational Advantage
Issuance The client sends a DPoP Proof JWT. Apigee uses the VerifyJWT Policy to validate the proof’s signature. Custom logic (JavaScript/Java Callout) extracts the client’s public key fingerprint (jkt) and injects it as a cnf.jkt claim into the Access Token being issued. Custom Development Required: Requires development and maintenance of custom policies and logic.
Validation The client sends the Access Token and a new DPoP Proof JWT with every request. A VerifyJWT Policy validates the DPoP Proof’s signature. Custom logic then compares the cnf.jkt from the token with the key fingerprint of the DPoP Proof JWT, proving key possession. Maximum Long-Term Efficiency: The long-term gain is realized by eliminating all X.509 client certificate management and rotation.

A GitHub sample demonstrates how Apigee can support a Proof-of-Possession (POP) exchange. Apigee POP Token Example

Summary

image
image1024Ă—559 98.2 KB

In summary, organizations must weigh the higher upfront development investment required for DPoP against the significant long-term operational savings it offers by moving away from the complexities inherent in the X.509 certificate ecosystem. The establishment of a Private CA provides the most straightforward path for immediate mTLS continuity.

:memo: Co-author: Ayo Salawu | @ayos

:thought_balloon: Talk to a Google Cloud Sales Specialist

6 Likes
2

Great article!

Not only “Private CA provides the most straightforward path for immediate mTLS continuity” it would also have the least impact on existing clients.

2 Likes
3

Rajesh, great stuff.

I’m already seeing accounts that are navigating through this transition.

I’ve explored the “Private PKI” path, implemented with the assistance of a custom Developer Portal, and in-browser generation of keypairs using the webcrypto API which is now widely supported in all browsers.

The way it works:

  • provision the developer portal with its own key + certificate. This cert might be provisioned by a public CA.
  • Developers sign into the devportal and when they want to request a new application-specific cert (AKA a client-side cert enabled with the clientAuth EKU (OID 1.3.6.1.5.5.7.3.2)), the in-browser logic for the Devportal follows this logic:
    • call window.crypto.subtle.generateKey() to generate a keypair
    • export both public and private key into an in-memory buffer
    • send just the public key to the developer portal backend with a request for a cert
    • The Devportal backend checks the public key (right algo, etc), and then generates a certificate signed by itself. Can set validity times (not before, not after), subject, clientAuth, SANs, and other x509 extensions as appropriate.
    • The developer portal backend then registers the fingerprint for the just-generated cert with the developer entity in the Apigee control plane
    • The developer portal backend sends back the signed cert to the Devportal frontend running in the browser
    • The browser then uses the URL.createObjectURL() API to download the private key and signed Certificate (possibly zipped up) to the filesystem on the developer’s workstation. The private key has been generated locally and never transmitted.
    • The developer can then employ the key+cert for client auth, as it would normally.

At runtime, the Apigee proxy can do its normal authentication check ( VerifyAPIKey or VerifyAccessToken) and can also check the fingerprint on the inbound client-provided certificate against the list of certificate fingerprints registered for the developer account.

One could also attach a cert fingerprint to a specific developer app.

In summary, it’s not so difficult to implement secure keypair provisioning to support the client-side authentication part of mTLS in an Apigee scenario, if you have a custom developer portal.

I have a working example of this; I’ll look into producing a webcast maybe with Rakesh or others showing this in action.

2 Likes
6

Dino, I like the thought of using developer portal and make it self sufficient.

If authentication relies on the fingerprint of the entire self-issued leaf certificate, key rotation changes that fingerprint. This means that every time a developer renews their certificate via the portal, the Dev Portal backend must perform an operational step in the Apigee to register the new certificate fingerprint against the developer entity or app. Compared to public CA model, this registration step will be the additional change burden on Apigee side of things.

7

YES! And there must be overlap in lifetimes of the certs, too. I have a Devportal example that does this - registers multiple overlapping certs for each developer account.

The API proxy must be smart enough to scan through the list of valid, approved fingerprints, for a given developer, when performing validation. This is not TLS validation - that happens at the Load Balancer, and requires a separate configuration. Not complicated, but not part of Apigee responsibilities. There will be no change required on the LB as client certs rotate - the LB can just use as its Truststore, the root certificate (privately issued) that is managed by the developer portal. The part in the proxy is just validating that… the current cert being used by the app is correctly registered for the developer that owns the app.

I expect more and more API programs to use this approach. Using a custom Devportal makes this part easy.