search cancel

Mutual SSL authentication configuration per web port


Article ID: 110022


Updated On:


CA Rapid App Security CA API Gateway


User has the requirement to host multiple services with mutual SSL based authentication. To get this to work, its crucial that in the ServerHello message the trusted certificate authorities are appearing in the CertificateRequest section. Its my understanding that this is controllable by the certificate purpose
"Signing client certs" in the list of trusted certificates. As the services are independent from each other and as we observed the clients are pretty sensitive during the SSL handshake when e.g. more than one trusted CA appears in the ServerHello/CertificateRequest message, I want to have an isolated SSL configuration per service in order to specify per service (or per webport) which client certificate issuer is being trusted. However, it seems the certificate purpose is controllable only on a global level, applying for all services and all web ports.

Is it possible to set certificate purpose per web port?


Gateway 9.3


There are several options. I hope they meet the requirement: 
1.: In policy manager, Tasks - Manage Listen Ports - Select or create a port 
2.: check the properties 
3.: select the private key that is valid on that port 

This is like a global setting for that specific port. 

For a specific API this approach can be used: 

1.: create a federated identity provider which allows you to specify required certificates or a specific issuer 
2.: in an API require SSL Mit client authentication 
3.: then include a Authenticate assertion against the Federated identity provider