Certificate expiry and renewal

How to renew and replace TLS certificates in your VMware deployment.

The instructions in this topic apply only to the management, portal, and analytics subsystems. For gateway appliance-specific instructions, see Configuring the API Connect Gateway Service in the appropriate version of the DataPower documentation.
Note: The API invocation certificate (the certificate that is presented to callers of your APIs) is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.

All ingress certificates in API Connect have a duration of 2 years. To avoid an outage when they expire, they must be manually renewed before expiration.

The ingress-ca CA certificate has a duration of 10 years and also requires manual steps to renew it before expiry.

Intra-subsystem certificates are renewed automatically.

If you have a two data center disaster recovery deployment, then when you renew certificates in one data center, you must copy the renewed certificates to the other data center. See Extracting and copying certificates.

Identifying expired certificates

To identify expired certificates, run:
apicup certs list <subsystem>
Any certificates that are expired or near to expiry are indicated in the Validation errors column.

Follow the step in Renewing certificates to renew expired or nearly expired certificates.

Renewing certificates

Use the apicup command to renew certificates.
Warning: Use these steps to renew only end-entity ingress certificates as defined here: ingress certificates. If you want to renew the ingress-ca certificate, then see Renewing ingress-ca.
  1. Clear the existing certificate with the apicup certs clear command:
    apicup certs set --clear <subsystem> <certificate name>
    Repeat for all ingress certificates that you want to renew.
  2. Generate new certificates for all the certificates that you cleared in step 1:
    apicup certs generate <subsystem>
    You do not need to specify the certificates with the apicup certs generate, the command identifies all empty (cleared) certificates in the subsystem and generates new ones.
  3. Apply the updated certificates to the subsystem:
    apicup subsys install <subsystem>

Renewing ingress-ca

Use the apicup command to renew ingress-ca, and then renew all the end-entity certificates the are signed by ingress-ca.
  1. Clear the ingress-ca certificate:
    apicup certs set --clear <management subsystem> ingress-ca

    Although this command specifies <management subsystem>, because ingress-ca is a common certificate, it is cleared for all subsystems. You do not need to repeat this command for every portal or analytics subsystem that is managed from the same project directory.

  2. Generate a new ingress-ca:
    apicup certs generate <subsystem>
    The generate command creates certificates for all previously cleared certificates, you do not need to specify ingress-ca in this command.
  3. Clear all the ingress end-entity certificates that are signed by ingress-ca:
    apicup certs set --clear <subsystem> <certificate name>
    For a list of the ingress certificates, see Ingress certificates.
  4. Generate new ingress end-entity certificates for each subsystem:
    apicup certs generate <subsystem>
  5. Apply the updated certificates to all subsystems:
    apicup subsys install <subsystem>