This is a quick article for newbies to Apigee who want secure API calls (port 443) to their company domain (e.g. yourCompany.com) going through Apigee Edge.
We will deal with the 101 of first-time loading certificates, working with TLS Keystores, and Virtual Hosts. It should be especially helpful for those who have common errors when working with these components the first time.
So if you’re trying to set-up your Apigee gateway to accept calls from api.yourCompany.com, then this is the article for you.
We will go through;
Pre-requisites
Here are the following pre-requisites for this article;
Certificates can be painful and finicky to work with at the best of times, so we will go into some detail to ensure that your certificate will load and be valid in Apigee. In this example I will be using GoDaddy, but any valid Domain and Certificate Authority (CA) will do.
1.Add “api” subdomain
Note: if your using GoDaddy, do not use their Forwarding SUBDOMAIN option, as this is a URL forwarder and uses an intermediary URL shortener to forward requests. I personally think this is dodgy.
2.Create an SSL certificate for that subdomain
3.Get certificate Apigee-ready
openssl x509 -inform der -in certificate.cer -out certificate.pem text
-----BEGIN CERTIFICATE----- Your intermediate certificate (the one for api.yourCompany.com) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Your root certificate -----END CERTIFICATE-----
openssl rsa -des3 -in unencrypted.key -out encrypted.key
Now that you have your certificate and private key Apigee-ready, it’s time to load them into a TLS Keystore so that it can be used by your virtual host when you set that up to terminate secure API calls to you Apigee org.
1. Create TLS Keystore
Note: Do not bother testing the Keystore at this stage. As your certificate is not attached to any host, there is no way a connection test can be achieved and you will just get an error saying “Invalid Truststore. Unable to find valid certification path to requested target”.
After we’ve loaded the certificate and the key successfully into a TLS Keystore, it’s time to associate that certificate to a virtual host.
1.Create Virtual Host
Common error: “Virtual host creation/update failed due to keystore cert validation error. Cert is invalid or cannot be trusted by java trust anchors or CAs”. This generally occurs when your certificate chain is set-up incorrectly in your PEM file. You need to have the root and intermediary certificates in the one PEM file so the chain of trust can be established, and they also need to be placed in the right order in the PEM file too (root at the bottom, and intermediaries cascading above it)
2.Test your Keystore
Well done, you’re now ready to start getting those API calls through securely to your Apigee org through your company domain!
I hope this instruction has helped you get your first, and most important virtual host set-up with your primary certificate for secure API traffic.