List of intra-subsystem certificates
A summary of certificates used for communications within subsystems in an API Connect deployment.
APIConnectCluster
instance name. For example, the certificate
managment-ca
is called <apic instance
name>-mgmt-ca
.Table 1 presents a list of certificates used for communications between pods in the same subsystem. The certificates are managed by cert-manager. For details of all the API Connect certificates, see API Connect certificates.
Certificate name | Issuer | Description |
---|---|---|
management-ca or mgmt-ca |
selfsigning-issuer |
The issuer for the management subsystems intra-subsystem certificates: management-client,
management-server, postgres, and nats certificates. Communication between management subsystem pods
fails if there is a problem with this certificate. This certificate is also used as the CA for
REST API calls to the management subsystem from the other subsystems, when using
|
management-client or mgmt-client |
management-ca |
Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate. |
management-server or mgmt-server |
management-ca |
Server certificate used in communication between management subsystem pods. Communication
between management subsystem pods fails if there is a problem with this certificate. Required DNS
names in the certificate:
|
db-client-apicuser |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
db-client-pgbouncer |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
db-client-postgres |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
db-client-primaryuser |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
postgres |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
postgres-pgbouncer |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
postgres-operator |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
natscluster-mgmt |
management-ca |
Intra-subsystem certificate for the nats pods. |
db-client-replicator |
management-ca |
2DCDR deployments
only. Client certificate used by the <management_CR>-tunnel pod to connect to
the other data center's <management_CR>-tunnel pod. |
analytics-ca or a7s-ca |
selfsigning-issuer |
The issuer for the analytics-client and analytics-server certificates. Communication between
analytics subsystem pods fails if there is a problem with this certificate. If this certificate is
updated, restart the |
analytics-client or a7s-client |
analytics-ca |
Client certificate used in communication between analytics subsystem pods. Communication
between analytics subsystem pods fails if there is a problem with this certificate. If this
certificate is updated, restart the |
analytics-server or a7s-server |
analytics-ca |
Server certificate used in communication between analytics subsystem pods. Communication
between analytics subsystem pods fails if there is a problem with this certificate. Required DNS
names in the certificate:
If this certificate is updated, restart the
|
portal-ca or ptl-ca |
selfsigning-issuer |
The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate. V10.0.5.3 and previous releases: If this certificate is updated, then all portal pods must be manually restarted. In later releases, the restart is automatic. |
portal-client or ptl-client |
portal-ca |
Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. V10.0.5.3 and previous releases: If this certificate is updated, then all portal pods must be manually restarted. In later releases, the restart is automatic. |
portal-server or ptl-server |
portal-ca |
Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. Required DNS names in the certificate:
<instance name>
and <remote portal CR name> are truncated if more than 15 characters.V10.0.5.3 and previous releases: If this certificate is updated, then all portal pods must be manually restarted. In later releases, the restart is automatic. |