TLS profiles

In API Manager, TLS profiles are used to secure transmission of data through websites. TLS and SSL certificates guarantee that information you submit will not be stolen or tampered with. In this topic, you learn how to create a TLS profile in API Manager.

About this task

API Connect for IBM® Cloud supports the use of TLS and SSL certificates, but does not itself produce strong encryption keys or manage your encryption keys. Encryption keys should be created and managed according to your own procedures. For more information, see Updating a TLS profile and Generating a PKCS#12 file for a TLS profile.

Important: With IBM API Connect for IBM Cloud, you can use TLS profiles configured in the API Manager user interface to protect access to your back-end services, but you cannot use them to protect access on the front-end, such as connecting to the API Connect for IBM Cloud user interfaces or invoking API calls, because the front-end capability is controlled by the IBM Operations team on behalf of all customers. If you have a requirement to configure custom front-end TLS settings, please contact IBM by sending an email to

For instructions on how to configure the toolkit command-line tool to use TLS certificates when connecting to API Manager, see Configuring the command-line tool to use TLS certificates.


To create a TLS profile, complete the following steps:

  1. If you have not previously pinned the UI navigation pane then click the Navigate to icon The Navigate to icon.
    The API Manager UI navigation pane opens. To pin the UI navigation pane, click the Pin menu icon The Pin menu icon..
  2. In the navigation pane, select Admin and click TLS Profiles.
  3. In the TLS Profiles page, click Add.
  4. Enter values in the Display Name and Name fields and, optionally, a description.
    The Name field cannot contain special characters.
  5. Click Save to save your changes.
  6. In the Present Certificate section, click the Upload Certificate icon The Upload Certificate icon.
    The Upload Certificate window opens.
  7. Click Select File, then browse for the certificate file that you want to present for authentication.
    • API Connect for IBM Cloud supports only the P12 (PKCS12) format file for the present certificate.
    • Your P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing.
    • Your P12 file can contain a maximum of 10 intermediate certificates.
  8. In the Password text field, enter a password for the certificate.
    Note: The present certificate must be password protected.
  9. Click Upload. The certificate is uploaded.
    Note: Only one present certificate can be uploaded at any one time. If you repeat the upload operation, the previous present certificate is replaced.
  10. To validate the certificate, move the Request and validate the certificate against the supplied CAs in the truststore slider to the On position.
  11. Click Save to save your changes.
  12. In the Trust Store window section, click the Upload Certificate icon The Upload Certificate icon.
    The Upload Certificate window opens.
  13. Click Select File, then browse for the Trust Store certificate.
  14. If the trust store is password protected, enter the password In the Password text field.
    The trust store does not have to be password protected.
  15. Click Upload.
    The certificate is populated.
    • If the trust store certificate is expired, you must upload the entire certificate bundle to replace all current certificates.
    • API Connect for IBM Cloud supports only the P12 (PKCS12) and PEM certificate formats for the trust store.
  16. Optional: Repeat steps 12 to 15 to add further trust store certificates.
  17. Expand the Protocols section to display the SSL and TLS versions.
  18. Select the check boxes that correspond to the TLS or SSL versions that you require.
  19. To enable or disable SNI, expand the Client Feature section, then select Use SNI.

    Server Name Indication (SNI) is an extension to the TLS protocol. SNI is enabled by default, allowing clients to access multiple virtual domains on a single HTTPS server's IP address and port number. The TLS client injects the SNI extension with the desired host name in its initial handshake with the server. The server replies with the appropriate certificate to continue the interaction. Servers that do not support SNI often ignore this extension, but if you encounter compatibility issues, you can disable SNI.

  20. Click Save.
    The certificates are uploaded and the SSL or TLS versions are saved.
    Note: After being uploaded, private keys cannot be downloaded from API Connect for IBM Cloud.