API Gateway: Policy manager displays a different certificate subject name than openssl
search cancel

API Gateway: Policy manager displays a different certificate subject name than openssl

book

Article ID: 136140

calendar_today

Updated On:

Products

API SECURITY CA API Gateway

Issue/Introduction

If a certificate is imported into the Gateway via the 'Manage Certificates' dialog you may notice the Subject name differs than what is shown from an openssl request.


For example:

Importing a certificate on the Gateway using the url : https://fcm.googleapis.com

will show a Subject DN of 'edgecert.googleapis.com'


However, running the below openssl command will show a Subject of  '*.googleapis.com'


openssl s_client -connect fcm.googleapis.com:443 -showcerts



Environment

Release : 9.x

Component : API Gateway

Cause

's_client' by default does not send SNI (Server Name Indication) data but the Gateway and browsers do.


More details on SNI can be found here:

https://en.wikipedia.org/wiki/Server_Name_Indication

Resolution

If you run the following you should see the same result as what the Gateway provided.


openssl s_client -servername fcm.googleapis.com -connect fcm.googleapis.com:443 -showcerts


The servername parameter can be used to set the TLS SNI (Server Name Indication) extension in the ClientHello message.