Oracle® Fusion Middleware
Part 4. Manage API Gateway security

You can use a Certificate Signing Request (CSR) from a Certificate Authority (CA) to obtain certificates used by API Gateway. Policy Studio can generate both X.509 certificates and associated private keys. However, it cannot generate a CSR. You may need to generate a CSR to request a CA to issue a certificate for use in the API Gateway.

This topic explains how to generate a CSR using the open source OpenSSL tool. It explains how to import the resulting certificate and corresponding private key into Policy Studio to be used in API Gateway configuration (for example, for SSL, signing, and encryption).

The API Gateway runtime incorporates X.509 certificate and private key material in its configuration store. However, this is not a Java Key Store (JKS).

A common misunderstanding is that certificates are trusted because they are imported into API Gateway configuration, and displayed in the Certificates view in Policy Studio. However, imported certificates are not trusted by default, and must be configured in Policy Studio.

OpenSSL is a free, popular and robust open source toolkit implementing Secure Sockets Layer (SSL) v2 and v3, Transport Layer Security (TLS) v1, and a full-strength general purpose cryptography library. OpenSSL is available on multiple platforms (for example, Linux, Solaris, and Windows) .

You can use OpenSSL to easily create CSRs. You can also use OpenSSL to create self-signed certificates for use in SSL or message-level security scenarios in a development environment for testing purposes. However, if required, it is considerably faster and easier to create self-signed developer certificates directly in Policy Studio, and there is no need to use an external CA.

You can use Policy Studio to generate certificates and private keys. However, certificates created in this way must be signed (self-signed or by a private key already configured in the tool). In most cases, this is not appropriate, so you should create the certificate and private key using a 3rd party tool such as OpenSSL.

The private key is required to generate the X.509 certificate and corresponding CSR. For example, the following command creates a private key file named mycompanyca.key with a key length of 2048 bits (strong) and a corresponding CSR in the file mycompany.csr:

openssl req -out mycompany.csr -new -newkey rsa:2048 -nodes \
-keyout mycompany.key
Country Name (2 letter code) []: US
State or Province Name (full name) [Some-State]: Massachusetts
Locality Name (e.g., city) []: Boston
Organization Name (e.g., company) [My Company Ltd]: Acme
Organizational Unit Name (e.g., section) []:
Common Name (e.g., server's hostname) [myserver]: api.acme.com
Email Address []: api-admin@acme.com

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []: Acme

You can now submit the CSR to a public or private CA, and the CA will issue the certificate to be imported into the API Gateway for use in SSL and message signing operations.

Each CA will have a slightly different process for submitting a CSR. However, most CAs provide a web-based interface for this purpose. After you submit the CSR to the appropriate CA, the CA will provide a signed version of the certificate, which you can then import into Policy Studio.

When you receive a signed certificate from the CA after submitting the CSR generated earlier, you must import both the certificate and associated private key into the appropriate key store in Policy Studio to enable SSL and message-level security. Depending on the CA used and how the certificate and key were generated, the certificate an key can be in separate files or combined in a single file.

Perform the following steps:

For more details, see Manage certificates and keys.

For more details on supported security features, see the API Gateway Security Guide.