search cancel

Root Certificate not being used/found to trust for outbound SSL if another certificate in managed Certificates has the subject DN of certificate being presented.

book

Article ID: 239186

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We have been running into issues on our api gateway where if a end-entity certificate  is in the trust store and we add the Root CA to our truststore so we can trust future certificate changes the outbound ssl call will fail once the vendor or internal certificate is updated if the old and new certificate share the same Subject DN.  For example:

Is there any recommendations on this as we've run into this a few different times, sometimes it doesn't happen and sometimes it does, so it's inconsistent as well.  Doesn't seem to be alphabetically order or any type of order that I have noticed.

 

Environment

Release : 10.0

Component :

Resolution

The gateway loads the Certificates from the store in the database. The order is not alphabetic its just based on the load order. 

The Gateway will queue up all  certs and loop through to choose an appropriate one for the validation. Note that gateway will not attempt validation with inappropriate cert, only 1 suitable cert will be identified and validated against. Depending on the cn or cert ID you could see diff results. Its a multistage validation and will deem successful or failure upon the first valid try. If the leaf cert found is appropriate and fails. It wont try to find or use CA. CA will only be used if there are no appropriate leaf certs for the validation.

The Trusted Certs for a HTTP route assertion. Connection tab, Trusted Server Certs button. Can choose the specific cert In 10.1 Cr02 this will also be able to take from a variable(s) which will help a user with more control and easier replacement.