Open
Description
Description
When the CA-signed certificate is used as the client certificate, mTLS fails and the following error message appears in the wso2carbon.log file. However, it works fine when using a self-signed certificate.
[2025-03-30 09:58:35,828] ERROR - MutualSSLAuthenticator Mutual SSL authentication failure. API is not associated with the certificate
Steps to Reproduce
- Start the latest APIM 4.4.0 distribution.
- Deploy a sample API and enable client-side mutual SSL authentication [1].
- Upload a CA-signed certificate chain as the client certificate via the Publisher portal.
- You can follow the steps provided under "Steps to Generate a CA-Signed Certificate" to generate the CA-signed certificate.
- Subscribe to the API via the Developer Portal and generate an access token.
- Invoke the API using the following sample curl command, providing the client certificate and private key.
curl -X 'GET' \
'https://localhost:8243/pizzashack/1.0.0/menu' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <ACCESS_TOKEN>' --cert server.pem --key server.key
Steps to generate CA signed certificate.
- Create a Root Key
openssl genrsa -out rootCA.key 2048 - Create a Root Certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem - Create a private key for your server
openssl genrsa -out server.key 2048 - Create a CSR (Certificate Signing Request)
openssl req -new -key server.key -out server.csr - Sign the CSR with your Root CA
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256
Version
4.4.0
Environment Details (with versions)
No response