Converting to custom front-end/ingress certificates after deployment

Convert a front-end certificate generated by cert-manager to a custom certificate for an existing IBM® API Connect deployment.

About this task

If you deploy IBM API Connect using certificates that were generated by cert-manager, you can later convert front-end (ingress) certificates to use custom certificates instead. For a list of the certificates that are generated and managed by cert-manager, see Custom certificates reference.

Restriction: This task applies only to front-end certificates and is not supported for the "Common Subsystem Communication" and "Internal" type certificates.


  1. Create the secrets you want to use with the kubectl create secret command.
  2. Edit the subsystem CR, and make the following changes for the endpoint secret you want to change:
    • In the annotations section, remove the following line: ingress-issuer
    • In the hosts section, update the secretName to the new secret that you created in step 1.

    The following example shows where the updates should be made:

 ingress-issuer  REMOVE THIS LINE 
        - name: <api endpoint hostname>
          secretName:  CHANGE THIS TO THE NEW SECRET