Unable to update Apigee virtual host with keystore...

Xiao

we are using Apigee Edge, and for reference we are using a paid plan.. I currently upload a wildcard private key(.pem) file and the chain of certificates(.pem) successfully in the TLS Keystore and create a new keystore Alias. And i want to now update the apigee virtual host with the new keystore Alias that i just created, i come to the error of "Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be trusted by java trust anchors or CAs". I am quite sure that the key and cert are valid. What could possibly cause this error?

troseman

Hello Xiao! The error message: "Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be trusted by java trust anchors or CAs". Means that the certificate defined in the keystore "GASAGAG" with the alias name "app-gasag-26" is not issued by a CA(Certificate Authority) trusted by the JRE. Usually you would see this if the certificate is self signed or from a private CA. As a general rule https://github.com/openjdk/jdk/tree/master/src/java.base/share/data/cacerts is trusted CAs included by OpenJDK. If your certificate is issued by one of these authorities or you believe your certificate is trusted please reach out to Google Cloud Support who can provide more direct assistance.

Xiao

Hello Troseman, It is issued by a public CA. I already created a ticket(ticket number 61197673), but thanks for your help 🙂

dknezic

Apigee doesnt recognise the newer root CA. Get the cross signed bundle from your cert provider - the roots are signed by older roots also for additional compatibility.

Unable to update Apigee virtual host with keystore Alias