Converting to custom certificates for external endpoints

Convert the default certificate for an External Frontend/Ingress endpoint to a custom certificate in an existing IBM® API Connect deployment.

About this task

If you deployed IBM API Connect using the default certificates that were generated by Kubernetes cert-manager, you can later configure the external endpoints to use custom certificates instead.

Restriction: You can only convert to using custom certificates for External Frontend/Ingress (endpoint) certificates, and not for internal (CA, Client, Server) or Common Subsystem Communication certificates.

For a list of the certificates that are generated and managed by cert-manager, see Custom certificates reference. Only the certificates that are described as "External Frontend/Ingress" in the "Type" column can be replaced with custom certificates.


  1. Create the secrets you want to use with the kubectl create secret command.
  2. Edit the subsystem CR, and make the following changes for the endpoint secret you want to change:
    • In the annotations section, remove the following line: ingress-issuer
    • In the hosts section, update the secretName to the new secret that you created in step 1.

    The following example shows where the updates should be made:

 ingress-issuer  REMOVE THIS LINE 
        - name: <api endpoint hostname>
          secretName:  CHANGE THIS TO THE NEW SECRET