MutualSSL Authentication
The process of authenticating and establishing an encrypted channel using certificate-based mutual authentication involves these steps:
- A client (API Gateway) requests access to a protected resource (your target server).
- The target server presents its certificate to the client.
- API Gateway verifies the server’s certificate.
- If successful, API Gateway sends its copy of your target’s certificate to the server.
- The target server verifies the supplied certificate.
- If successful, the target server grants access to the API resource requested by the gateway.
To use MutualSSL on your target server, you must supply a PKCS#12.pfx file that contains your server’s certificate, the private key used to generate the certificate, and all the intermediate certificates up to and including the CA root certificate. It is best security practice that your .pfx file is protected by a passphrase. You must supply this passphrase as well. These items will be required at the time of configuration.
At runtime API Gateway reads the BASE64 string from the certificate and converts it back into a binary buffer, which it attaches to the request along with the passphrase. Thus, your target server receives its own certificate as part of the request, which API Gateway forwards to it. If the certificate is not correct, your server would reject the call, but that should never happen unless there has been a misconfiguration or the supplied .pfx was incorrect in some way.