This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

SSL Certificate expiration

Posted on 09-11-2024 03:38 AM
EduardoAnguloLu
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi Google Team! 

My team and I have been working on SSL configuration (1 way and 2 way) and we found that one certificate from one backend server was expired. So below, I have 2 questions:

1. Should Apigee throw a Certificate Expired issue? We didn't receive anything from Apigee but we found the next issue in our backend service:

Screenshot 2024-09-11 at 12.36.28.png

 2. Is there a way we can receive some alerts from Apigee about the certificates that are about to expire? I don't know precise time but for example 1 week before it happens? 

Thanks in advance!

Solved Solved
0 3 441
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
nmarkevich
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @EduardoAnguloLu,

1. If you want an Apigee proxy to validate a target system's certificate, you need to explicitly specify a TrustStore for every HTTPTargetConnection in your API proxy - this applies to both target endpoints and ServiceCallout policies. Without specifying this, Apigee won’t automatically throw a certificate expired error for the backend. Here's an example configuration:

 

<HTTPTargetConnection>
    <SSLInfo>
        <Enabled>true</Enabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <TrustStore>ref://TrustStore</TrustStore>
        <Protocols>
            <Protocol>TLSv1.2</Protocol>
            <Protocol>TLSv1.3</Protocol> <!-- For Apigee X/Hybrid -->
        </Protocols>
    </SSLInfo>
    <URL>https://httpbin.org/anything/</URL>
</HTTPTargetConnection>

 

Also please pay attention to the Protocols I specified - they are also necessary to harden your proxy. If the protocols are not defined, there's a risk that older, insecure protocols like SSLv3 might be used, which could introduce security vulnerabilities.

2. I don't know about such out-of-the-box feature for sending alerts about expiring certificates in Apigee KeyStore. However, you can implement this yourself by using a monitoring tool to track the expiration dates of the certificates in your KeyStore. You could set up alerts that trigger a week before a certificate expires, ensuring that your team is notified ahead of time.

By the way, if you’re interested in securing your Apigee API proxies further, consider trying out CodeSent. It’s a tool that automatically detects vulnerabilities in your Apigee proxies, helping you stay ahead of potential risks - like those related to SSL configurations and certificate validation.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
nmarkevich
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @EduardoAnguloLu,

1. If you want an Apigee proxy to validate a target system's certificate, you need to explicitly specify a TrustStore for every HTTPTargetConnection in your API proxy - this applies to both target endpoints and ServiceCallout policies. Without specifying this, Apigee won’t automatically throw a certificate expired error for the backend. Here's an example configuration:

 

<HTTPTargetConnection>
    <SSLInfo>
        <Enabled>true</Enabled>
        <IgnoreValidationErrors>false</IgnoreValidationErrors>
        <TrustStore>ref://TrustStore</TrustStore>
        <Protocols>
            <Protocol>TLSv1.2</Protocol>
            <Protocol>TLSv1.3</Protocol> <!-- For Apigee X/Hybrid -->
        </Protocols>
    </SSLInfo>
    <URL>https://httpbin.org/anything/</URL>
</HTTPTargetConnection>

 

Also please pay attention to the Protocols I specified - they are also necessary to harden your proxy. If the protocols are not defined, there's a risk that older, insecure protocols like SSLv3 might be used, which could introduce security vulnerabilities.

2. I don't know about such out-of-the-box feature for sending alerts about expiring certificates in Apigee KeyStore. However, you can implement this yourself by using a monitoring tool to track the expiration dates of the certificates in your KeyStore. You could set up alerts that trigger a week before a certificate expires, ensuring that your team is notified ahead of time.

By the way, if you’re interested in securing your Apigee API proxies further, consider trying out CodeSent. It’s a tool that automatically detects vulnerabilities in your Apigee proxies, helping you stay ahead of potential risks - like those related to SSL configurations and certificate validation.

Jump to Solution

Posted on --/--/---- --:-- AM
EduardoAnguloLu
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi @nmarkevich thanks for your quick response!

Just want to confirm if Protocols should only be present in the 2 way SSL or also apply for 1 way SSL?

Thanks in advance!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nmarkevich
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hi @EduardoAnguloLu,

You're welcome!

To clarify, you should include the Protocols element in both 1-way and 2-way SSL configurations. The reason is that the Protocols directive ensures that only secure protocols (like TLSv1.2 and TLSv1.3) are used when making connections, regardless of whether it’s 1-way or 2-way SSL. This helps to prevent the use of outdated and insecure protocols like SSLv3, TLSv1.0 and TLSv1.1 in any connection.

So yes, I recommend specifying the protocols for both cases to maintain a strong security posture.

Let me know if you need further clarification!

Jump to Solution
Top Solution Authors
View all