How to configure certificates?

Complete certificates configuration is done over three API Manager screens:

  • In Virtual Hosts > Certificates, you register the certificate.

  • In Virtual Hosts > Inbound Addresses, you define the address the certificate will respond to.

  • In Virtual Hosts > Environments, you create the contexts that complement the addresses defined in the Inbound Addresses screen.

With the combination inbound address + environment, we define the path that will be used to access the APIs.

  • Certificate: *sensedia.com

  • Inbound Address: demo.sensedia.com

  • Environmment: demo.sensedia.com/dev

In this scenario, all environments created from the inbound address demo.sensedia.com will use the certificate *sensedia.com.

mTLS

The mutual exchange of certificates has two sides, each with their respective credentials.

These are the credentials used when configuring mTLS:

  • Partner (the caller):

    • certificate_partner.pem: the certificate itself.

    • privateKey_partner.pem: private key.

    • ca_partner.pem: Trusted CA - certificate of the certifying authority that generated the partner’s certificate.

  • Host (the receiver):

    • cert_host.pem: certificate itself.

    • privateKey_host.pem: private key.

    • chain_host.pem: certificate chain generated when the inbound certificate was created.

With this data, register the certificate: . Go to Virtual Hosts > Certificates in the API Manager; . Click the + button; . To register a certificate used by an inbound address, check the Inbound Certificate option; . Fill in the fields:

  • Name: name that identifies the certificate.

  • Certificate Body: inbound certificate body (certificate_host.pem).

  • Private Key: private key of the host (privateKey_host.pem)

  • btn: [Certificate Chain]: certificate chain of the host (chain_host.pem)

  • Trusted CA: Trusted CA of the partner (ca_partner.pem).

After inserting the certificate in the API Manager, you can assign it to the address it will respond to:

  1. Go to the Inbound Addresses screen;

  2. In the Protocol Type field, choose HTTPS or HTTP|HTTPS;

  3. In Security, choose mTLS;

  4. In TLS Version, define the range of supported TLS versions;

  5. Finally, in Certificates, select the registered certificate.

With these configurations, any environment created based on this inbound address will start receiving calls with mTLS connection.

A possible call made by the partner is:

curl -X GET --cacert ca_partner.pem --cert certificate_partner.pem --key privateKey_partner.pem https://inbound-url/basepath -v

With the configurations made, the expected behavior is that both sides validate the certificates they received:

  • The partner validates the certificate registered in the inbound address in their trusted_store;

  • The host validates the certificate received from the partner, as the partner’s Trusted CA was registered in the Manager.
Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]