I have added the propagatetlsinformation section to my virtualhost in Apigee.
{
…
“sSLInfo”: {
“ciphers”: [
],
“clientAuthEnabled”: “true”,
“enabled”: “true”,
“ignoreValidationErrors”: false,
“keyAlias”: “test”,
“keyStore”: “ref://tls”,
“protocols”: [
],
“trustStore”: “ref://tlsTrust”
},
“PropagateTLSInformation”: {
“ConnectionProperties”: “true”,
“ClientProperties”: “true”
}
}
Based on Accessing TLS connection information in an API proxy | Apigee Edge | Apigee Docs , PropagateTLSInformation section in the virtualhost facilitate the propagation of TLS information.
I am trying to access tls.client.s.dn in a policy.
RF-CertCheck
tls.client.s.dn != "Certificate"
I also tried using X-Apigee.tls.client.s.dn, still did not get any value.
I would really appreciate any input on how to access the tls information in a policy
This looks like a duplicate post. Lets discuss this on the other post please
Hi @SanalNaroor ,
You’re correct that adding PropagateTLSInformation in the virtual host allows Apigee to pass TLS details. But note: this only works when:
– You’re using mutual TLS (mTLS) and
– The client is presenting a valid certificate at the Apigee edge.
To access tls.client.s.dn in policies:
– You should reference it directly as tls.client.s.dn in your conditions (no X-Apigee. prefix).
– Make sure the client is actually providing the certificate; otherwise, the variables will be empty.
Debug tip:
– Enable debug sessions in the Apigee trace tool and look under the variables section → check if tls.client.* values appear.
– If they are missing, confirm that:
– The virtual host is configured for clientAuthEnabled: true.
– The trust store contains the correct CA certs.
– The client is indeed sending a client certificate.
1 Like