Mutual SSL enabled API call is not happening via postman in WSO2 API Manager 4.1.0 GA Release

Question

I am trying Mutual SSL in WSO2 APIM 4.1.0 GA Release. I have created Self signed certificate by using Java Keytool.

OS : Windows 11

Below are the commands to generate certificate:

Creating new Keystore:

keytool -genkey -keyalg RSA -alias dev.wso2.com -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks" -validity 4000

Convert to pkcs12 format:

keytool -importkeystore -srckeystore C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks -destkeystore C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks -deststoretype pkcs12

Export public key

keytool -exportcert -alias dev.wso2.com -rfc -file "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.pem" -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.jks"

import the public key to trust store:

keytool -import -alias dev.wso2.com -file "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\devwso2.pem" -keystore "C:\pathtoAPIM\wso2am-4.1.0\repository\resources\security\client-truststore.jks"

• Certificate added successfully into truststore and validated certificate from management console too.

• Created API in Publisher portal and enabled Mutual SSL as mandatory

• upload a new client certificate and marking OAuth as optional under Application level security

• API is published into devportal.

Invoke an API secured with Mutual SSL using Postman

• Added the certificate and private key in Certificate tab of Postman settings. Host: dev.wso2.com CRT file: dev.wso2.crt KEY file: devwso2.pem Passphrase: keystorepwd

• In General tab, SSL Certificate Verification is OFF

API Hit in postman:

• As you could see above screenshot, ERROR something like Error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE received in postman.

CURL:

curl -vk  GET "https://dev.wso2.com:8243/mutualsslapi/1.0.0" -H "accept: applicaition/json"  --cert "C:\Development_Avecto\Learning\File\dev.wso2.crt" --key "C:\Development_Avecto\Learning\File\devwso2.pem"

after executing above curl in cmd, getting below ERROR

    * Could not resolve host: GET
* Closing connection 0
curl: (6) Could not resolve host: GET
*   Trying 127.0.0.1:8243...
* Connected to dev.wso2.com (127.0.0.1) port 8243 (#1)
* schannel: disabled automatic use of client certificate
* schannel: Failed to import cert file C:\Development_Avecto\Learning\File\dev.wso2.crt, last error is 0x80092002
* Closing connection 1
curl: (58) schannel: Failed to import cert file C:\Development_Avecto\Learning\File\dev.wso2.crt, last error is 0x80092002

May I know why this Mutual SSL protected API call is not happening? How can we fix this?

Reference Link 1

Reference link 2

Answer 1

Seems like an issue with the certificates that you are using.

Try with the following commands to generate private key and public certificate out of it.

Generated a Key

openssl genrsa -out self.key 2048

Generated the certificate

openssl req -key self.key -new -x509 -days 365 -out self.crt

Then test an API configured as below. Note that certificate has been added to the API under Transport level security.

Then use the key and certificate in the postman as below.

You will be able to invoke the API. Test whether similar configuration like this works for Mutual SSL.

Answer 2

This seems like a postman specific issue. Can you check the options mentioned here[1] to solve the issue? Or can be due to some structure issue in the crt file.

[1] https://community.postman.com/t/error-errorpem-routinesno-start-line/32031

Answer 3

As suggested by @nuwan karunarathna,

• I have installed openssl in windows machine.

• Created certificate and privatekey using openssl command mentioned here

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout "C:\path_to_wso2apim_security_folder\privatekey.key" -out "C:\path_to_wso2apim_security_folder\certificate.crt"

• Enabled mutual ssl in Publisher portal and Attached certificate in API level

• Added certificate, Host and private key in postman setting (certificate tab)

• Restarted WSO2 APIm Server and API Hits are happening now.