Renew certifcates in WSO2 EI client trust store

424 Views Asked by At

We are using WSO2 integrator 6.4. To be able to connect to 3rd party HTTPS servers, we need to add server's certificate to client-truststore.jks. A lot of servers now use certificates from https://letsencrypt.org with 3 months TTL. That means we must renew certificates every three months for every 3rd part server in our enviroment otherwise we get "Error in Sender" error. Is there a way to disable certificate checking in WSO2 EI at all? Or maybe it is possible to make some automatic scenario to renew certificates in client-truststore.jks? Or can we check certificates in client-truststore.jks inside wso2 ei itself and send warnings before expiration?

2

There are 2 best solutions below

0
On BEST ANSWER

A little basic in TLS trust.

When do you have explicit trust, trusting individual certificates (often done for self-signed certificates). Indeed this approach creates significant management overhead, mainly when onboarding, offboarding new service hosts or with short-lived certificates.

For TLS (SSL) an implicit trust is used. Your application trusts a list of (long lasting) the issuers - Certificate authorities (CA). Event the list of the CA certificates change over time, so some manual management may be necessary anyway.

Is there a way to disable certificate checking in WSO2 EI at all?

Yes, there is (in axis2.xml), but that lowers the security and the traffic would be vulnerable to a man-in-the-middle attack.

We solved this issue by adding only root CA certificates of letsencrypt to client-truststore.jks.

Yes, this is the correct approach. If you have closed environment (not able to access internet), you may need to add all the certificate chain (root and iternmediate signing certificates)

0
On

We solved this issue by adding only root CA certificates of letsencrypt to client-truststore.jks. That was enough for wso2ei to trust all servers with certificates of Letsencrypt.