Hi ,
We want to consume an API through tyk that has mutual tls enable. We need to send a pfx certificate file and a passphrase in order for API to work. But this tells me that only pem certificates are allowed. Is there any way in tyk to pfx certificates with pass phrase.
Hi,
I’m not sure what you mean by sending a pfx certificate in order for the API to work. Are you referring to the stage of installing the certificate in Tyk and configuring mTLS or has that been done already and you’re referring to calling the API with a client?
If it’s to do with setting up the API in Tyk, then all that is required is the public certificate. Public certificates by nature of being public are not secret so don’t need to be encrypted and converting to a PEM file and uploading them into Tyk doesn’t present any security risk.
If it’s to do with calling an existing API that already has mTLS enabled then this is outside Tyk and within the client application. If it is possible to write or configure the client to use a password protected PFX file then it will allow the client to sign the traffic with the gateway and complete the mTLS negotiation.
It’s also possible that this question is about upstream mTLS? If that’s the case then Tyk needs the certificate and private key in a single PEM file (without password) to be uploaded to the certificate store. When certificates with private keys are uploaded to the store they are securely encrypted and stored in redis.
Cheers,
Pete