Command reference

The APICUP installer includes the certs commands to set and manage certificates.

About this task

The APICUP installer can be used to set certificates for each subsystem during installation. If certificates are not explicitly set using the apicup certs set command, then default certificates are generated by APICUP. We recommend that certificates be set at installation time only (or carried over from an upgrade). The default certificates are self-signed, so they may not be optimal for external communication.

For a description of the certificates that can be set, see Certificate reference. We recommend that all public and user-facing certificates be explicitly set, including portal-www-ingress and api-gateway-ingress, and the four management endpoints (platform-api, consumer-api, api-manager-ui, and cloud-admin-ui). Following is the help reference for the apicup certs set command:

apicup certs set --help
Set or clear certificates and keys

Usage:
  apicup certs set SUBSYS CERT_NAME [CERT_FILE KEY_FILE CA_FILE] [KEY_FILE] [flags]

Flags:
      --clear   Clear out a certificate or key entry
  -h, --help    help for set

Global Flags:
      --accept-license   Accept the license for API Connect
      --debug            Enable debug logging

Procedure

To set and clear certificates, complete the following steps:

  1. Enter the apicup certs set command and complete the following values:
    Table 1. apicup certs set
    Command Values Result
    apicup certs set SUBSYS CERT_NAME [CERT_FILE KEY_FILE CA_FILE] [flags] Parameters are:
    • SUBSYS - name of the subsystem to which the certificate applies
    • CERT_NAME - name of the certificate; see Certificate reference for a list of certificates that can be set for each subsystem.
    • CERT_FILE - Path to the certificate file in PEM format.
    • KEY_FILE - Path to the private key file in PEM format.
    • CA_FILE - Path to the Certificate Authority (CA) file. The contents of the file may be the concatenation of an intermediate CA and the root CA (in that order). Note: When setting the root-ca certificate, omit the CA_FILE parameter.
    		 Applies the certificate when the subsystem is installed.
    apicup certs set SUBSYS CERT_NAME [KEY_FILE] [flags] KEY_FILE - The file containing the encryption-secret for field level encryption in the management database. Applies only to the management subsystem. The certificate name is encryption-secret. The type is secure random bytes with a length of 128 bytes. For example, apicup certs set mgmt1 encryption-secret /path/to/encryption-secret.bin. Note: Do not specify any of the [CERT_FILE KEY_FILE CA_FILE] parameters when setting the encryption-secret. Applies the encryption-secret when the management subsystem is installed.
    flags
    • --clear
    • --help
    		Flags are:
    • --clear - Clears the specified certificate. For example, apicup certs set mgmt1 encryption-secret --clear
    • --help - Displays help for the command.
    		 The specified certificate will be cleared. When making configuration changes such as changing endpoints, the corresponding certificate must be cleared so that a new certificate can be set.
  2. The apicup certs get command retrieves a specific certificate for the specified subsystem. 
    apicup certs get --help
Get a certificate

Usage:
  apicup certs get SUBSYS CERT_NAME [flags]

Flags:
  -h, --help            help for get
  -o, --output string   output to file or - (stdout) (default "-")
  -t, --type string     type of object to return: cert, key, ca (default "cert")

Global Flags:
      --accept-license   Accept the license for API Connect
      --debug            Enable debug logging
    Table 2. apicup certs get
    Command Values Result
    apicup certs get SUBSYS CERT_NAME [flags] Parameters are:
    • SUBSYS - name of the subsystem to which the certificate applies
    • CERT_NAME - name of the certificate to retrieve; see Certificate reference for a list of certificates
    		Returns the specified certificate for the specified subsystem.
    flags
    • --output string
    • --type string
    • --help
    		Flags are:
    • --output string- Specify a file for the retrieved values, or specify "-" to send to stdout. Default is "-" to send to stdout. For example, apicup certs get mgmt1 --output myCertsFile
    • --type string - Returns only the specified type. If not specified, the type is cert. For example, apicup certs get mgmt1 --type ca
    • --help - Displays help for the command.
    • For --output: The specified certificate will be retrieved and sent to stdout or saved to the specified file
    • For --type: Certificates will be retrieved that match the type specified.
    .
  3. List all certificates that have been set for a subsystem using the apicup certs list command. You can list the certificates at any time to summarize the certificates that have been set. 
    apicup certs list –help

List all configured certificates

Usage:
  apicup certs list SUBSYS [flags]

Flags:
  -h, --help   help for list

Global Flags:
      --accept-license   Accept the license for API Connect
      --debug            Enable debug logging
    Table 3. apicup certs list
    Command Values Result
    apicup certs list SUBSYS [flags] Parameters are:
    • SUBSYS - name of the subsystem for which you want to list certificates
    		 Returns a list of certificates that are configured for the subsystem.
    flags
    • --help
    		Flags are:
    • --help - Displays help for the command.
    		 Help text is displayed.
    Following is example output from the apicup certs list command:
    
Common certificates
===================

Name                        Summary                                                          Validation errors
----                        -------                                                          -----------------
analytics-client-client     CN: analytics-client-client                                      
                            SubjectKeyId: D9:DE:C8:6A:E9:E1:3E:30:48:71:E0:63:E3:09:51:AA    
                            AuthorityKeyId: 0B:37:61:5F:81:B3:67:5B:E0:F1:05:A6:6E:08:D5:8E  
analytics-ingestion-client  CN: analytics-ingestion-client                                   
                            SubjectKeyId: 27:60:BF:DF:6C:34:29:FE:8E:83:21:1B:C0:14:B2:9E    
                            AuthorityKeyId: 0B:37:61:5F:81:B3:67:5B:E0:F1:05:A6:6E:08:D5:8E  
ingress-ca                  CN: ingress-ca                                                   
                            SubjectKeyId: 0B:37:61:5F:81:B3:67:5B:E0:F1:05:A6:6E:08:D5:8E    
                            AuthorityKeyId: 5E:6D:5C:6E:2C:BE:50:F3:4E:EE:FD:02:76:86:6C:5A  
portal-client               CN: portal-client                                                
                            SubjectKeyId: 08:A8:57:A5:99:BC:79:FA:14:59:A4:98:6D:F7:43:C4    
                            AuthorityKeyId: 0B:37:61:5F:81:B3:67:5B:E0:F1:05:A6:6E:08:D5:8E  
root-ca                     CN: root-ca                                                      
                            SubjectKeyId: 5E:6D:5C:6E:2C:BE:50:F3:4E:EE:FD:02:76:86:6C:5A    
                            AuthorityKeyId:                                                  
                                                                                             
Subsystem mgmt certificates
===========================

Name               Summary                                                          Validation errors
----               -------                                                          -----------------
api-manager-ui     CN: api-manager-ui                                               
                   SubjectKeyId: A3:C1:A1:4F:21:23:21:2F:1F:D7:87:30:E1:1E:33:A3    
                   AuthorityKeyId: 0B:37:61:5F:81:B3:67:5B:E0:F1:05:A6:6E:08:D5:8E  
appliance-client   CN: appliance-client                                             
                   SubjectKeyId: 5C:FB:0F:5D:B8:BF:6F:89:CB:25:DD:54:31:A7:B4:63    
                   AuthorityKeyId: 60:D9:B2:37:0B:17:FB:CD:FC:49:29:32:F6:A6:49:7C  
cloud-admin-ui     CN: cloud-admin-ui                                               
                   SubjectKeyId: E7:E2:D6:35:95:6B:D4:3B:F7:F7:9F:5F:DD:B8:02:E9    
                   AuthorityKeyId: 0B:37:61:5F:81:B3:67:5B:E0:F1:05:A6:6E:08:D5:8E  
consumer-api       CN: consumer-api                                                 
                   SubjectKeyId: 2A:80:EB:A6:31:9E:A5:C6:41:D9:1F:69:D1:9E:31:75    
                   AuthorityKeyId: 0B:37:61:5F:81:B3:67:5B:E0:F1:05:A6:6E:08:D5:8E  
encryption-secret  2D:F9:61:0C:45:CB:6E:90:85:E0:0E:D3:DF:CC:B4:47                  
k8s-ca             CN: k8s-ca                                                       
                   SubjectKeyId: 60:D9:B2:37:0B:17:FB:CD:FC:49:29:32:F6:A6:49:7C    
                   AuthorityKeyId:                                                  
platform-api       CN: platform-api                                                 
                   SubjectKeyId: 6D:E7:60:21:81:7E:F6:40:A4:9A:2F:88:35:D1:18:04    
                   AuthorityKeyId: 0B:37:61:5F:81:B3:67:5B:E0:F1:05:A6:6E:08:D5:8E
  4. The apicup certs generate command generates and sets default certificates. The generate command only generates and sets a certificate if it is not already set; it only sets the missing default certificates that have not been explicitly set using the set command. Execute the generate command before running the apicup subsys install <SUBSYS> command to confirm the certificates are correct before installing. It allows you to validate all certificates before performing the installation. The generate command is used as a tool to assist you when entering a combination of default and custom certificates. If you need to set specific certificates you can set them upfront (using set) and then generate the missing ones with default certificates. Or you can generate all certificates upfront and then override specific certificates to set custom certificates. Using generate helps to avoid validation errors during the installation procedure. Note that you must configure the subsystems and pass the --validate option before generating the default certificates. 
    apicup certs generate –help
Generate all unset certificates

Usage:
  apicup certs generate SUBSYS [flags]

Flags:
  -h, --help   help for generate
Global Flags:
      --accept-license   Accept the license for API Connect
      --debug            Enable debug logging
    Table 4. apicup certs generate
    Command Values Result
    apicup certs generate SUBSYS [flags] Parameters are:
    • SUBSYS - name of the subsystem for which you want to generate certificates
    		 Generates certificates that have not been set for the subsystem. Generates self-signed certificates.
    flags
    • --help
    		Flags are:
    • --help - Displays help for the command.
    		 Help text is displayed.