The CA API Gateway ("Gateway") is throwing errors when transacting with the Google Maps API. Depending on the configuration of the Gateway and it's certificate store, the errors encountered will range.
The common error encountered speaks to certificate validation / verification issues and a lack of trust for the certificate presented by Google's servers.
An example error encountered when key usage enforcement policies are in place: Unable to obtain HTTP response from <GoogleMapsAPI_URL>: Certificate not verified. Caused by: Certificate key usage or extended key usage disallowed by key usage enforcement policy for activity: sslServerRemote
All Gateway nodes which make calls to the Google Maps API after changes are made to the certificates on Google's servers.
Google is making changes to the way it issues certificates. Most notably, they are changing from using a Symantec-provided root CA to a Google-owned root CA. These changes are being done in batches and over a long period of time.
Google has their own support page for this certificate migration here for reference: https://developers.google.com/maps/root-ca-faq
Of note are the following statements from the Google support page which explain what is happening and why it is happening:
- "In late 2017 the Google will update the root TLS/SSL certificate which is used to verify the security of connections to the Google Maps APIs. The vast majority of clients will not be affected by this change but the owners of some applications may need to verify and update their client services."
"Google is working on a multi-year plan to issue and use its own root certificates, the cryptographic signatures which are the basis of TLS/SSL internet security used by HTTPS. Currently, the TLS security of the Google Maps APIs is guaranteed by a root certificate issued by GeoTrust Global CA, a very well known and widely trusted certificate authority (CA) which is owned by Symantec. Practically all TLS clients (such as Web browsers, smartphones, and application servers) are aware of this root certificate, and therefore can use it to ensure that they have a secure connection to the Google Maps APIs servers. By the early 2020s, Google plans to migrate all Google Maps API services to a root certificate issued by Google's own certificate authority, Google Trust Services (GTS). As an interim step, in late 2017 the Maps APIs will migrate to another widely-trusted root certificate from GlobalSign (GS). Google has purchased the use of this root certificate (and the CA that GlobalSign used to issue it) in order to ease the certificate transition."
"As announced in the Google Maps API Premium Plan customer support portal on March 16 2017, and earlier on the Google Security Blog, Google has created its own root CA, GTS. Along with other Google services, the Google Maps APIs will gradually transition to TLS certificates signed by GTS root CAs. As an interim step, Google has purchased the existing, widely-trusted GS Root R2 CA. The Google Maps APIs will migrate from the GeoTrust root certificate to this certificate in late 2017. Almost all TLS clients are preconfigured with the GS Root R2 certificate or receive it via normal software updates, but, if an application connects to the Google Maps APIs from clients that may not recognize this certificate, the application developers should ensure that the clients are tested and if necessary updated with the certificate. The GS Root R2 certificate and all GTS root certificates are available via the GTS site. For testing purposes, the GTS site also provides endpoints with TLS certificates signed by each CA. In particular, if your client can establish a TLS connection to GS Root R2 test endpoint then it trusts the GS Root R2 certificate and should not be affected by the upcoming change. Google will rely on GS Root R2 CA at least through the end of 2018. After that, the Google Maps APIs may transition directly to the GTS CA, or may on occasion fall back to third-party root CAs including GS Root R3 CA."
Ultimately, it is best to follow Google's support page for instructions as the changes causing the issue are owned by Google.
For Gateway administrators, the resolution is usually as simple as updating the certificate store on the Gateway to include Google's new certificates. From Google's own support page, they state the following:
- "To completely future-proof your application, we recommend your applications trust all root certificates listed in the Google sample PEM file. This file includes all CAs that may plausibly be used by Google services in the foreseeable future."
In some cases, Gateway administrators may need to modify key usage policies to work with Google's certificates and particularly the key usages Google defined for their certificates. The Gateway documentation has a page on the key usage enforcement policy.