Certificate Chain Check


Whenever the API Gateway receives a client's X.509 certificate, either in an XML Signature or as part of an SSL handshake, it needs to determine whether that certificate can be trusted. For example, it is a trivial task for a user to generate a structurally sound X.509 certificate. This certificate can then be used to negotiate mutually authenticated connections to publicly available services.

Clearly, this scenario represents a security nightmare for IT administrators. You cannot allow any user to generate their own certificate and use it on the Internet. The server must be able to trust the authenticity of the client certificate. Furthermore, it must be able to verify that the certificate originated from a trusted source. To do this, a server can perform a certificate chain check on the client certificate.

The main purpose of certificate chain validation is to ensure that a certificate has been issued by a trusted source. Typically, in a Public-Key Infrastructure (PKI), a Certificate Authority (CA) is responsible for issuing and distributing certificates. This infrastructure is based on the premise of transitive trust: If everybody trusts the CA, everybody transitively trusts the certificates issued by that CA. If entities only trust certificates that have been issued by the CA, they can then reject certificates which have been self-generated by clients.

When a CA issues a certificate, it digitally signs the certificate and inserts a copy of its own certificate into it. This is called a certificate chain. Whenever an application (such as the API Gateway) receives a client certificate, it can extract the issuing CA's certificate from it, and run a certificate chain check to determine whether it should trust the CA. If it trusts the CA, it also trusts the client certificate.

The question then arises how does the API Gateway trust a Certificate Authority? The API Gateway maintains a repository of both trusted CA certificates, and trusted server certificates for use in SSL communications. To trust a certain CA, that CA's certificate must be imported into the Certificate Store.


The Policy Studio provides an easy-to-use interface for configuring certificate chain validation. This interface allows you to amalgamate CA and server certificates into groups such that if an incoming client certificate has been issued by any of the CAs in the group, the API Gateway trusts the certificate. Enter a name for the group in the Group Name field. To populate the new group, click the Add/Edit button.

By selecting a group from this list, the members of this group are displayed in the Certificate Alias table. To add and/or remove members from the selected group, click the Add/Edit button. Certificates can be added to and removed from new or existing groups using the Configure Trusted Certificate Groups dialog which is displayed on clicking the Add/Edit button.

The Configure Trusted Certificate Groups dialog consists of 2 main tables. The first lists all certificates currently in the Certificate Store (those trusted by the API Gateway). The second lists the members of the group selected in the Group Name field. To add a certificate to a trusted group, select it from the Certificate Store table, and click Add. The certificate appears in the group certificates table. Similarly, to remove a certificate from the group, select it from the group certificates table, and click <- Remove. The certificate is removed from the group table.

You can also add, remove, and view certificates in the Certificate Store using this dialog. To add a certificate to the Certificate Store, click Add, which displays the Import Certificate dialog. Browse to the location of the CA certificate file, and enter an Alias for the certificate. This is used to uniquely identify the certificate in the API Gateway. You can remove a certificate by selecting it in the Trusted Store table, and clicking Remove. The certificate is removed from the table, and is no longer be trusted by the API Gateway.

Finally, you can also examine the details of any one of the certificates in the Certificate Store. To do this, again select a certificate from the Trusted Certificate table, and click the View button.