Secure API Manager provides an automatic validation of SSL for the backend service when you include SSL in the API. It validates the SSL connection in two ways:
Validating the backend service server's certificate chain all the way to either a well-known trusted root or a configured trusted root.
Validating that the backend service domain name matches the name in the backend service server's certificate.
By default, Secure API Manager has the backend service SSL certificate validation enabled. You can disabling it for testing purposes or in situations where network professionals determine that it is not needed. You can disable the backend service SSL certificate validation process by deselecting Validate SSL Certificate when you edit an API. We recommend that you always leave it enabled.
When you disable the backend service SSL certificate validation means that you do not have to have a Trusted Root certificate in the backend service configuration.
When you enable the backend service SSL certificate validation means:
If the backend service server's certificate uses a well-known trusted root certificate, then you do not have to configure a Trusted Root for the Backend Service.
If the backend service server's certificate does not use a well-known Trusted Root certificate, then you must configure a Trusted Root for the backend service. The Trusted Root must follow these guidelines:
Each certificate in the chain:
Must be in PEM format
Must have no duplicate certificates
Must be a well-formed certificate chain
Secure API Manager uses the domain names or IP addresses you added when creating or editing an API under Backend Service > Services as the value to match against the server certificate's subject name. Secure API Manager uses domain names if one exists; otherwise, it uses an IP address. This means that if you use an IP address in the Backend Service > Service definition, the backend service server certificate must include a subject alternate name detailing the IP addresses you added.