search cancel

Checking for the presence and validity of a Certificate using two different 'Require SSL' assertions


Article ID: 7279


Updated On:


CA API Gateway


In Policy, some use cases may want to separate the ways in which the 'Require SSL' assertion handles the certificate. For example; the first branch of logic may check for the presence of the certificate, whereas the next branch checks again for the validity of that same certificate. 


<Please see attached file for image>

Policy screenshot.PNG


The problem is, if an expired certificate passes the first branch (which only checked for the presence of a certificate), it would actually pass the branch later down the line that checks for the validity of the certificate. 


Component: APIGTW


The Gateway does this almost as a 'caching' mechanism to reduce the overhead of policy. As it has already checked for the certificate, it pulls the same details from before (where we didn't check for validity) and it actually passes through even though a certificate may not be valid and is expired. 


Instead of the second 'Require SSL' assertion checking for the validity, we can do a compare expression to check for the validity. The compare variable should look like the below: 


<Please see attached file for image>

style="display: block; margin-left: auto;" src="/servlet/servlet.FileDownload?file=0150c000004AKFDAA4" alt="Compare.PNG" width="348" height="261">


This compare expression will take the cert validity using a built in context variable and compare it against the gateway time; essentially checking the validity of it and ensuring it is not expired. 


1558702903286000007279_sktwi1f5rjvs16q12.png get_app