1

I read the documentation of Securing APIs with Mutual SSL" for WSO2 API Manager 4.0.0. According to the document, you can register the client certficate that is authorized to access the API. However, the document has no description about the certificate of CA (Certificate Authority) that signs the client certificate.

My question is:

  • Which CA certificates does the WSO2 APIM use to verify client certificates it receives?
  • Is it possible to register the CA certificate with a specific API in WSO2 APIM, instead of individual client certificates? That way, we could authorize a group of clients that have client certificates signed by the registered CA to use the API.
Toshio Ito
  • 11
  • 1

1 Answers1

1

You can find the CAs that are already included in the API Manager distribution from APIM_HOME/repository/resources/security/client-truststore.jks.

Regarding the CAs added for Mutual SSL than adding individual certificates, currently there seems to be a bug in this flow and we can't use root CAs. I have created a git issue[1] for this and you can track the progress.

[1] - https://github.com/wso2/api-manager/issues/873

Lakshitha
  • 1,021
  • 1
  • 6
  • 15