Validating client certificate against truststore

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

This document explains how to verify that the correct client certificates have been uploaded to Apigee Edge Routers. The process of validating certificates relies on OpenSSL, which is the underlying mechanism used by NGINX on Apigee Edge Routers.

Any mismatch in the certificates sent by the client applications as part of the API request and the certificates stored on Apigee Edge Routers will lead to 400 Bad Request - SSL Certificate errors. Validating the certificates using the process described in this document can help you to proactively detect these issues and prevent any certificate errors at runtime.

Before you begin

Before you use the steps in this document, be sure you understand the following topics:

Validating client certificates against truststore on Apigee Routers

This section describes the steps used to verify that the client certificates are identical to certificates stored in the truststore on Apigee Edge Routers.

  1. Login to one of the Router machines.
  2. Navigate to the /opt/nginx/conf.d folder, where the certificates are stored in Apigee Edge Routers’ truststore.
  3. Identify the truststore for which you would like to validate the client certificates. The truststore name is in the following format:
    org-env-virtualhost-client.pem
    

    Where:

    • org is your Apigee organization name
    • env is your Apigee environment name
    • virtualhost is your Apigee virtual host name
    • For example, to validate for the following:

      • Organization: myorg
      • Environment: test
      • Virtual host: secure

      The truststore name is: myorg-test-secure-client.pem

  4. From your local machine, transfer the actual client certificate that you want to validate to the /tmp directory on the Router, using scp, sftp or any other utility.

    For example, use the scp command as follows:

    scp client_cert.pem router-host:/tmp
    

    Where router-host is the name of Router machine.

  5. Verify the client certificate using OpenSSL as follows:
    openssl verify -trusted org-env-virtualhost-client.pem /tmp/client-cert.pem
    

    Where:

    • org is your Apigee organization name
    • env is your Apigee environment name
    • virtualhost is your Apigee virtual host name
  6. Fix any errors that are returned from the command above.

    If the truststore on the Apigee Edge Router doesn’t contain the correct certificates, delete and upload the correct certificates in PEM format to the truststore using this Upload certificate to truststore API.