In API Gateway we invoke several backend providers using Route Via HTTP Assertion say https://abc.xyz.com in order to establish trust we have to add the certificate abc.xyz.com to our Gateway trust store .
Challenge is that our api providers rotate the certs every 1 yr , currently our strategy has been to trust the intermediate cert so that we can avoid frequent trust cert rotations.
lot of our teams use Aws ACM -- their recent announcement talks about dynamic intermediate certs , https://aws.amazon.com/blogs/security/amazon-introduces-dynamic-intermediate-certificate-authorities/
can you suggest a strategy to avoid outages when intermediate certs are changed (auto rotated with out notice).
Is it possible to just validate the CN name and validity of the leaf cert instead of validating the whole cert ?
Release : 10.1
New feature was added in 10.1 CR2
Route via HTTP(S) Assertion - New Options
Three new options for the Route vis HTTP(S) assertion have been introduced:
Trust only the specified Trusted Certificates via Context Variable: Located in the Trusted TLS Server Certificates dialog. Selecting this option allows the user to define a context variable as a certificate identifier value for dynamic certificate selection.
Use dynamic private key: Located in the Private Key Alias dialog. Selecting this option allows the user to define a context variable as a private-key identifier value for dynamic key selection.
Omit Matching Auth Header When Reusing Connection: Selecting this option allows users to disable the comparison of the authorization header in a HTTP(S) request with previous requests when the Gateway attempts to reuse connections. Selecting this option is best suited for connections that use the bearer token in the authorization header to ensure connection reuse and improve routing performance.
To be able to view or see these options in the Policy Manager, ensure that version 10.1 CR2 of the Policy Manager has been installed.