Enabling and Trusting Major Certificate Authorities Globally Throughout a Cluster.
search cancel

Enabling and Trusting Major Certificate Authorities Globally Throughout a Cluster.


Article ID: 42849


Updated On:


CA API Gateway


A majority of certificates issued to publicly facing web sites and services have certificates that are issued by well-known public certificate authorities. This list includes but is not limited to: Symantec, Comodo, GoDaddy, and Global Sign. Most contemporary web browsers trust a selection of public certificate authorities as well as the intermediary certificate authorities that they have acquired. The CA API Gateway does not implicitly trust these certificates without administrative intervention. This article will prescribe the steps necessary to institute this trust. Please note that this capability is non-functional and not available until version 7.0.0 of the CA API Gateway.


Component: APIGTW


The Gateway does not trust the global external certificate authority infrastructure by default.


  1. Log in to the CA API Policy Manager as an administrative user.
  2. Select Manage Cluster-Wide Properties from the Tasks menu.
  3. Add a new property
  4. Specify the property key as pkix.useDefaultTrustAnchors
  5. Set the property value as true
  6. Save the changes and exit.

    NOTE: This is  a hidden property therefore you cannot select from the list, just input manually and hit Enter to show the property. We put it as hidden property because we don't recommend to use it as it will trust certificates from well known CA automatically (ie. you don't need to import those certificates manually). This is not very secure.

Additional Information

Subsequent requests to systems, servers, or services using certificates signed by the broad spectrum of public CAs will now be trusted. Please note that this trust relationship can be exploited by malicious users leveraging leaked CA signing keys. While the possibility of this being exploited is low--it is discussed in-depth in an online discussion found here. Use caution when enabling this capability in a trusted zone.