API calls made from browsers can display certificate choose dialog.
search cancel

API calls made from browsers can display certificate choose dialog.

book

Article ID: 45559

calendar_today

Updated On:

Products

STARTER PACK-7 CA API Gateway

Issue/Introduction

API Calls made from browsers using HTTPS can be prompted to choose a certificate to authenticate itself, even though the resource/policy itself does not use mutual SSL Authentication.  This can be confusing for some end users, unsure why a certificate choice is requested and which one should be selected.

Environment

All supported versions of the API Gateway

Cause

During SSL Handshake, prior to the policy being resolved, the client can be prompted for a certificate.  If the client is a browser and its keystore contains more than one certificate, then a dialog will be displayed asking the user to choose which certificate is applicable. 

Resolution

From the Policy Manager, go to Tasks > Transpots > Manage Listen Ports, select the SSL port in question, and navigate to the 'SSL/TLS Settings' Tab.  If Client Authentication is set to Optional or Required then during SSL handshake, a certificate will be requested, which might result in a dialog being displayed.  To stop this behavior, set the Client Authentication to None. 

Additional Information

If policies require certificate-based client authentication then setting the authentication to None will cause them to fail, consider running mutual authentication policies on a separate port.