CP4I: List of external certificates

A summary of certificates used for communications between subsystems and clients in an API Connect deployment with IBM Cloud Pak for Integration (CP4I).

Ingress (front-end) certificates

Table 1 presents a list of ingress certificates (issued by APIC_instance_name-ingress-issuer) with the corresponding secret and affected pods. In the table, the names of items use the variable APIC_instance_name, which should be replaced with the name of your deployed API Connect instance. Pods are listed for convenience; when you update certificates the pods are restarted automatically and do not require a manual restart.

Table 1. Ingress certificates, secrets, and affected pods
Issuer / CA certificate	Certificate	Secret	Pods
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-a7s-ac-endpoint`	`APIC_instance_name-a7s-ac-endpoint`	`APIC_instance_name-a7s-mtls-gw`
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-a7s-ai-endpoint`	`APIC_instance_name-a7s-ai-endpoint`	`APIC_instance_name-a7s-mtls-gw`
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-mgt-admin`	`APIC_instance_name-mgt-admin`	N/A
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-mgt-api-manager`	`APIC_instance_name-mgt-api-manager`	N/A
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-mgt-consumer-api`	`APIC_instance_name-mgt-consumer-api`	N/A
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-mgt-platform-api`	`APIC_instance_name-mgt-platform-api`	N/A
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-ptl-portal-director`	`APIC_instance_name-ptl-portal-director`	`APIC_instance_name-ptl-nginx`
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-ptl-web`	`APIC_instance_name-ptl-web`	N/A
`APIC_instance_name-ingress-issuer`	`hub-endpoint`	`hub-endpoint`	N/A
`APIC_instance_name-ingress-issuer`	`turnstile-endpoint`	`turnstile-endpoint`	N/A

Subsystem communication certificates

Table 2 lists all of the common subsystem communication certificates (issued by APIC_instance_name-ingress-issuer) , with the usage, corresponding secret, and affected pods. Pods are listed for convenience; when you update certificates the pods are restarted automatically and do not require a manual restart.

Table 2. Subsystem certificates, secrets, and affected pods
Issuer / CA certificate	Certificate	Usage	Secret	Pods
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-a7s-cl-client`	client	`APIC_instance_name-a7s-cl-client`	`APIC_instance_name-mgt-APIC_instance_name-a7s-proxy` `APIC_instance_name-mgt-apim` `-mgt-taskmanager` `APIC_instance_nameAPIC_instance_name-ptl-www` (via webhook, no restart needed)
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-a7s-ing-client`	client	`APIC_instance_name-a7s-ing-client`	`APIC_instance_name-mgt-apim` `APIC_instance_name-mgt-taskmanager` `APIC_instance_name-gw` (via webhook, no restart needed)
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-ptl-adm-client`	client	`APIC_instance_name-ptl-adm-client`	`APIC_instance_name-mgt-apim` `APIC_instance_name-mgt-taskmanager` `APIC_instance_name-mgt-APIC_instance_name-ptl-proxy` (via webhook, no restart needed)
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-gw-dr-client`	client	`APIC_instance_name-gw-dr-client`	`APIC_instance_name-mgt-apim` `APIC_instance_name-mgt-taskmanager`
`APIC_instance_name-ingress-issuer`	`APIC_instance_name-gw-peer`	client, server	`APIC_instance_name-gw-peer`	`APIC_instance_name-gw` (redis)