Replacing custom certificates
Use the APICUP installer certs
commands to replace existing
certificates.
About this task
- Customization of public certificates and public user-facing certificates is recommended. Customization of internal certificates is strongly discouraged.
- To view a list of public, public user-facing, and internal certificates, see Certificate management: Read This First. For details on each certificate, see Certificate reference.
The APICUP installer can be used to update certificates for each subsystem after installation.
- Requirements for custom certificates:
-
- Extended Key Usage (EKU), either serverAuth or clientAuth depending upon the type of certificate. Certificates of type Server must have an Extended Key Usage with serverAuth purpose. Certificates of type Client must have an Extended Key Usage with clientAuth purpose.
- Subject Alternative Name (SAN) for the required hosts
- Any custom common certificates that are being used must be set prior to setting any custom certificates for a subsystem.
See Certificate Reference to view the list of common certificates and to determine whether an EKU is needed for a certificate and which type of EKU (serverAuth or clientAuth).
- Certificates and identical endpoints:
-
The Management subsystem has four public endpoints: api-manager-ui, cloud-admin-ui, platform-api, and consumer-api. Distinct TLS certificates can be set for each endpoint. However, if any two endpoints are identical, only one TLS certificate will be effective. When 2 or more endpoints are set to the same host, the secrets associated with the endpoints should be the same or contain the same certificate files.