Validating client certificate against truststore

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation. info

This document explains how to verify that the correct client certificates have been uploaded to Apigee Edge Routers. The process of validating certificates relies on OpenSSL, which is the underlying mechanism used by NGINX on Apigee Edge Routers.

Any mismatch in the certificates sent by the client applications as part of the API request and the certificates stored on Apigee Edge Routers will lead to 400 Bad Request - SSL Certificate errors. Validating the certificates using the process described in this document can help you to proactively detect these issues and prevent any certificate errors at runtime.

Before you begin

Before you use the steps in this document, be sure you understand the following topics:

• If you aren’t familiar with the OpenSSL library, read OpenSSL.
• If you want to use the command-line examples in this guide, install or update to the latest version of OpenSSL client.
• Ensure the certificates are in PEM format and if not, convert the certificates to PEM format.

Validating client certificates against truststore on Apigee Routers

This section describes the steps used to verify that the client certificates are identical to certificates stored in the truststore on Apigee Edge Routers.

1. Login to one of the Router machines.
2. Navigate to the /opt/nginx/conf.d folder, where the certificates are stored in Apigee Edge Routers’ truststore.
3. Identify the truststore for which you would like to validate the client certificates. The truststore name is in the following format:

   org-env-virtualhost-client.pem

   Where:

   • org is your Apigee organization name
   • env is your Apigee environment name
   • virtualhost is your Apigee virtual host name

   For example, to validate for the following:

   • Organization: myorg
   • Environment: test
   • Virtual host: secure

   The truststore name is: myorg-test-secure-client.pem

4. From your local machine, transfer the actual client certificate that you want to validate to the /tmp directory on the Router, using scp, sftp or any other utility.

   For example, use the scp command as follows:

   scp client_cert.pem router-host:/tmp

   Where router-host is the name of Router machine.

5. Verify the client certificate using OpenSSL as follows:

   openssl verify -trusted org-env-virtualhost-client.pem /tmp/client-cert.pem

   Where:

   • org is your Apigee organization name
   • env is your Apigee environment name
   • virtualhost is your Apigee virtual host name

6. Fix any errors that are returned from the command above.

   If the truststore on the Apigee Edge Router doesn’t contain the correct certificates, delete and upload the correct certificates in PEM format to the truststore using this Upload certificate to truststore API.