Add a certificate - calling a webservice

Hi,

This is a newbie question, please forgive my ignorance. I am trying to upload a certificate that is needed to call a web service. The organization that hosts the service has provided a pkcs12 certificate. After converting it to serveral pem files (cert, key and one combined) I have been able only to upload the cert.pem file. When calling the endpoint it returns the error that the handshake has failed.

Steps taken

  • Called the web service with Postman → the service returns an error, indicating that it needs a certificate.
  • Downloaded the X-TEST.p12 file from the organization, hosting the web service. The file is a pkcs12 file.
  • Converted the X-TEST.p12 file to a cert file with openssl: openssl pkcs12 -in .\X-TEST.p12 -out xtest.crt.pem -clcerts -nokeys
  • Converted the X-TEST.p12 file to a key file with openssl: openssl pkcs12 -in .\X-TEST.p12 -out xtest.key.pem -nocerts -nodes
  • In Postman added the cert and key file to the domain
  • Tested the web service in Postman → success
  • Converted the X-TEST.p12 file to a combined file with openssl: openssl pkcs12 -in .\X-TEST.p12 -out xtest.pem
  • Opened the Tyk dashboard, navigated to “Certificates”
  • Tried adding the combined file to Tyk (since I thought that this is what it is asking) → Error: “Could not create certificate:”
  • Tried adding the cert file to Tyke → success
  • Added an API for the web service
  • Added the header for “content-type” “text/xml”
  • Added the body request transform to output a fixed XML, the same as in Postman
  • Added the certificate to the API
  • Uploaded the API
  • Called the API from Postman → Error:

error 96c2a03#characters#8c3ea6 2018-03-07T15:11:40Z http: proxy error: remote error: tls: handshake failure 192.#n#.#n#.4 acceptatie.#domain#.nl

What did I do wrong? How can I make this work?

Ger

First of all, can you clarify if you are using our cloud or on-prem version?

In order to make requests with the client certificate, you need to have both public and private keys, and as you mentioned, when you provided both to Postman it worked as expected.

Tyk expects the same, so your first attempt at uploading combined PEM file was right, however not sure why you got such error, without detailed description. Uploading only “public” certificate won’t work in this case.

So, since your public cert was uploaded successfully, I wonder if the issue with private key format. If you open this combined PEM file, you should see 2 records in this file, looking like:

----- <PUBLIC HEADER> ------
....
----- END <PUBLIC HEADER> ----
----- <PRIVATE HEADER> ------
....
----- END <PRIVATE HEADER> ----

If possible can you pls post here values of this headers, for sure without certificates contents. And for private keys, pls check if there are additional headers like Proc-Type: 4,ENCRYPTED or similar.

Also, you can try to manually concatenate key and cert files, just in the text editor, and try uploading it to tyk.

Also, you mentioned that you uploaded the certificate and “Certificates” section of the dashboard.
Do not forget that to make it work with mutual TLS upstream, you should also go to API designer, “Advanced tab”, “Upstream Certificates” section, and specify both domain and certificate Id you want set for this url.

Hope it helps!

Hi Leon,

Thanks for your reply.

Combining the two files manually works!!! Thanks a lot!

I started to answer before testing the combining of the two files manually. Maybe you are interested in the rest, otherwise TL;DR

Ger

I’m running in docker images on premise.
The combined file doesn’t have the headers you described. I will put the file here, trying not to mutilate it too much :wink:

Bag Attributes
localKeyID: 29 CB #some more pairs# DB 7F 8D
friendlyName: X-TEST client certificate
subject=/O=X-TEST/CN=X-TEST client certificate
issuer=/C=NL/ST=Noor#characters indicationg the issuer# CA
-----BEGIN CERTIFICATE-----
certificate stuff#
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Comp#some characters#A
subject=/C=NL/ST=Noo#some characters#CA
issuer=/C=NL/ST=Noo#some characters#Root CA
-----BEGIN CERTIFICATE-----
certificate stuff#
-----END CERTIFICATE-----
Bag Attributes
friendlyName: T#Some characters# CA
subject=/C=NL/ST=Noor#Some characters# Root CA
issuer=/C=NL/ST=Noo#Some characters#Root CA
-----BEGIN CERTIFICATE-----
certificate stuff#
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 29 #Some pairs# 8D
friendlyName: X-TEST client certificate
Key Attributes:
-----BEGIN ENCRYPTED PRIVATE KEY-----
#Key stuff#
-----END ENCRYPTED PRIVATE KEY-----

The separate files look different:
Cert:

Bag Attributes
localKeyID: 29 CB #Some pairs# 7F 8D
friendlyName: X-TEST client certificate
subject=/O=X-TEST/CN=X-TEST client certificate
issuer=/C=NL/ST=Noo#Some characters# CA
-----BEGIN CERTIFICATE-----
certificate stuff#
-----END CERTIFICATE-----

KEY:

Bag Attributes
localKeyID: 29 CB C0 #Some pairs# 7F 8D
friendlyName: X-TEST client certificate
Key Attributes:
-----BEGIN PRIVATE KEY-----
#Key stuff#
-----END PRIVATE KEY-----

(Going to try to do a response body transform: fingers crossed)

Pitty: the response body transform malfunctions just like the other one.

I guess I will have to create a gRPC call to handle the response.

Ger