How to configure certificates?

Starting with API Platform 4.3.0.0, the complete configuration of certificates is done over three API Manager screens:

  • Certificates (Virtual Hosts  Certificates). The certificate itself is registered here.

  • Inbound Addresses (Main menu  Virtual Hosts). Here you define the address the certificate will respond to.

  • Environments (Main menu  Virtual Hosts). Here, contexts are created to complement the addresses defined on the Inbound Addresses screen. With the combination inbound address + environment, we define the path that will be used to access the APIs.

Example

  • Certificate: *sensedia.com

  • Inbound Address: demo.sensedia.com

  • Environmment: demo.sensedia.com/dev

In this scenario, all environments created from the inbound address demo.sensedia.com will use the certificate *sensedia.com.

mTLS

The mutual exchange of certificates has two sides, each with their respective credentials.

These are the credentials used when configuring mTLS:

  • Partner (the one who makes the calls to APIs):

    • certificate_partner.pem: the certificate itself.

    • privateKey_partner.pem: private key.

    • ca_partner.pem: Trusted CA - certificate of the certifying authority that generated the partner’s certificate.

  • Host (the one who receives the calls to APIs):

    • cert_host.pem: certificate itself.

    • privateKey_host.pem: private key.

    • chain_host.pem: certificate chain generated when the inbound certificate was created.

With these data in hand, the registration of credentials is done on the API Manager, on Virtual Hosts  Certificates, after clicking on the + button. To register the certificate used by an inbound address, check the option Inbound Certificate. These are the fields that must be completed:

  • Name: name that identifies the certificate.

  • Certificate Body: inbound certificate body (certificate_host.pem).

  • Private Key: private key of the host (privateKey_host.pem)

  • btn: [Certificate Chain]: certificate chain of the host (chain_host.pem)

  • Trusted CA: Trusted CA of the partner (ca_partner.pem).

Once the certificate has been registered on the API Manager, the address to which it will respond can be assigned on the Inbound Addresses screen. To do this, choose HTTPS or HTTP|HTTPS in the Protocol Type field, which will open other security fields. In Security, choose mTLS, in TLS Version, define the range of supported TLS versions and, in Certificates, select the certificate registered.

Once this is done, any environment created with this inbound address as a base URL will start receiving calls with mTLS connection.

Example

A possible call made by the partner is:

curl -X GET --cacert ca_partner.pem --cert certificate_partner.pem --key privateKey_partner.pem https://inbound-url/basepath -v

If the configurations above are properly set, the expected behaviour is that both sides perform the validations of the certificates they received:

  • the partner validates, in its trusted_store, the certificate registered for the inbound address;

  • the host validates the certificate it received from the partner, since the partner’s Trusted CA has been registered on the Manager.

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]