VMware: Renewing external certificates with apicup

On VMware OVA/Appliance, the external public-facing and the cross-subsystem certificates are managed with the apicup utility.

About this task

When API Connect is deployed on VMware, the public-facing external certificates, as well as some internal cross-subsystem certificates, are managed with apicup but are stored as Kubernetes secrets. Complete the following steps to renew certificates that are managed with apicup and restart the affected pods.


  1. Renew the certificates as explained in Replacing custom certificates.

    For information on setting up new certificates, see Setting custom certificates.

  2. Use Tables 1 and 2 to determine which certificates to renew and which pods to restart:

    Table 1 presents a list of secrets for external (ingress/front-end certificates) with the corresponding pod that must be restarted when the secret changes.

    Table 1. External (ingress/front-end) secrets and affected pods
    Secret Pods
    analytics-client-ingress analytics-mtls-gw
    analytics-ingestion-ingress analytics-mtls-gw
    platform-api N/A
    api-manager-ui N/A
    cloud-admin-ui N/A
    consumer-api N/A
    hub N/A
    portal-admin-ingress portal-nginx
    portal-www-ingress N/A
    turnstile N/A

    Table 2 presents a list of secrets for internal (cross-subsystem) certificates with the corresponding pod that must be restarted when the secret changes.

    Table 2. Internal (subsystem) secrets and affected pods
    Secret Pods
    • management-analytics-proxy
    • management-apim
    • management-taskmanager
    • portal-www (via webhook, no restart needed)
    • management-apim
    • management-taskmanager
    • gateway (via webhook, no restart needed)
    • management-apim
    • management-taskmanager
    • management-portal-proxy
    Site-dependent names.

    Example: management-replication-ingress/dc2-mgmt-replication

    • management-tunnel
    Site-dependent names.

    Example: management-replication-client/dc2-mgmt-replication-client

    • management-remote-sitename-postgres (on passive site in 2DC-HA config)
    Site-dependent names.

    Example: portal-replication-ingress/dc2-ptl-replication

    • portal-tunnel
    Site-dependent names.

    Example: portal-replication-client/dc2-ptl-replication-client

    • portal-remote-sitename-db-X
    • portal-remote-sitename-www-X
  3. Restart the pods listed in the corresponding row for each certificate that you renewed.