Layer7 API Management

We require certificates for incoming requests.  In a policy, I have been logging the serial number from the certificate attached to a request. The serial number in the log does not match what I see if I open the certificate directly on my laptop.  The serial number being logged is ${request.ssl.clientCertificate.serial}.  I tried converting to/from hex, but that does not make the two values jibe.

Similarly, if I import a certificate using Manage Private Keys, the serial number displays a different value than if I open the certificate outside Policy Manager.

Is policy manager or gateway changing the value it displays for serial number?  I would expect the log to contain the same serial number I see when I open the certificate outside Policy Manager.

Hello,

Does your certificate contain an email address in the subject DN? If a certificate contains EMAILADDRESS in the Subject DN and if EMAILADDRESS is used to sign the message using Issuer Name/Serial Number signature key reference, the Gateway cannot recognize this credential.

I was able to see the same behavior you mentioned on a 9.1 Gateway only when using EMAILADDRESS. Once this was updated the serial number returned from  ${request.ssl.clientCertificate.serial} matches the certificate in Manage Certificates.

Regards,

Joe

Good afternoon,

The value that you see in the logs and in the policy manager are the decimal representation of the certificate not the hexadecimal representation.

Example of the various outputs:

Policy Manager Manage Certificates : 16865741392225626044

Openssl command: 16865741392225626044 (0xea0f26700d35e7bc)
Windows: 00 ea 0f 26 70 0d 35 e7 bc

The key difference between the Windows and the OpenSSL command is that 0x and 00  identify that it is hexadecimal.

Please open an Idea through our community to have both displayed in the product if you feel that it will help.

Sincerely,

Stephen Hughes

Director, CA Support