After going through lot of documentation, i am bit confused and hence I am putting up my understanding for review:

1. To enable Backend TLS/SSL security: HTTP Proxy to HTTPS backend

- Create a Truststore in Edge.

- Add a PEM cert to this Truststore, get this cert from backend team.

- Create a Truststore Reference.

- Add this Reference in SSLInfo tag of /target/default.xml and deploy the bundle.

2. To enable one way TLS/SSL security on Proxy : HTTPS Proxy to HTTPS backend.

- Create one Truststores in Edge - backAndFrontStore

- Add a backend PEM cert with appropriate alias and front-end cert with appropriate alias to backAndFrontStore.

- Create Truststore reference pointing to backAndFrontStore.

- Add this Reference in SSLInfo tag of /target/default.xml and deploy the bundle.

3. To enable 2-way TLS/SSL security on Proxy: HTTPS Proxy with client cert validation to HTTPS backend.

- Create one Truststores in Edge - backAndFrontStore

- Add a backend PEM cert with appropriate alias and front-end cert with appropriate alias to backAndFrontStore.

- Create Truststore reference pointing to backAndFrontStore.

- Create on keystore in Edge - clientKeystore.

- Add PKCS12 cert to clientKeystore.

- Create Keystore reference pointing to clientKeystore.

- Add both of these references to SSLInfo tag along with ClientAuth as Enabled and deploy the bundle.

Also, if we have a simple org where all Proxies can have same client cert, then only adding Ref to Virtual Host is more appropriate? Or is there any other tight dependency on Virtual Host for adding the reference of Stores there?