Custom certificates reference

API Connect supports custom certificates for each subsystem, and for internal communications.

Note: The API invocation certificate that callers to the published APIs on your gateways see is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.

Table 1. Certificates for the Management subsystem:
Certificate	Type	Notes
`analytics-ingestion-client`	Common Subsystem Communication	Must be signed by the same CA as `analytics-ai-endpoint` Certificate of Analytics Subsystem. For a two data center deployment, both data centers must have an identical subject name. For example, both data centers subject name could be `CN=a7s-ingestion-client`, or they could both be `CN=a7s-ingestion-client, O=cert-manager`, but they must be identical.
`portal-admin-client`	Common Subsystem Communication	Must be signed by the same CA as `portal-admin` Certificate of Portal Subsystem. For a two data center deployment, both data centers must have an identical subject name. For example, both data centers subject name could be `CN=portal-admin-client`, or they could both be `CN=ptl-adm-client, O=cert-manager`, but they must be identical.
`gateway-client-client`	Common Subsystem Communication	Must be signed by the same CA as `gwv5-management-endpoint` and/or `gwv6-management-endpoint` of Gateway Subsystem
`cm-endpoint`	External Frontend/Ingress
`apim-endpoint`	External Frontend/Ingress
`api-endpoint`	External Frontend/Ingress
`consumer-endpoint`	External Frontend/Ingress
`hub-endpoint`	External Frontend/Ingress
`turnstile-endpoint`	External Frontend/Ingress

Note:

To generate the certificates for the endpoints used by the Automated testing behavior endpoints (hub-endpoint and turnstile-endpoint), add the following statements to the custom-certs-external.yaml:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: hub-endpoint
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "hub-endpoint"
  }
spec:
  commonName: hub-endpoint 
  secretName: hub-endpoint 
  dnsNames:
  - hub.example.com
  issuerRef:
    name: ingress-issuer
  usages:
  - "server auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 720h # 30 days
  privateKey:
    rotationPolicy: Always
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: turnstile-endpoint
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "turnstile-endpoint"
  }
spec:
  commonName: turnstile-endpoint 
  secretName: turnstile-endpoint 
  dnsNames:
  - turnstile.example.com
  issuerRef:
    name: ingress-issuer
  usages:
  - "server auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 720h # 30 days
  privateKey:
    rotationPolicy: Always

Table 2. Certificates for Analytics Subsystem
Certificate	Type	Notes
`analytics-ai-endpoint`	External Frontend/Ingress	Must be signed by the same CA as `analytics-ingestion-client` Certificate of Management Subsystem

Table 3. Certificates for Gateway Subsystem
Certificate	Type	Notes
`gwv5-endpoint`	External Frontend/Ingress
`gwv5-management-endpoint`	External Frontend/Ingress	Must be signed by the same CA as `gateway-client-client` Certificate of Management Subsystem
`gwv6-endpoint`	External Frontend/Ingress
`gwv6-management-endpoint`	External Frontend/Ingress	Must be signed by the same CA as `gateway-client-client` Certificate of Management Subsystem

Table 4. Certificates for Portal Subsystem
Certificate	Type	Notes
`portal-admin`	External Frontend/Ingress	Must be signed by the same CA as `portal-admin-client` Certificate of Management Subsystem
`portal-web`	External Frontend/Ingress

Table 5. Internal Certificates
Certificate	Type (CA/Server/Client)	Subsystem	Notes
`caCertificate`	CA	Management, Analytics, Portal
`clientCertificate`	Client	Management, Analytics, Portal
`serverCertificate`	Server	Management, Analytics, Portal	Portal DNS names required `.<namespace> .<namespace>.svc .<instance name>-server.<namespace>.svc <instance name>-server .<instance name>-<site name>-db-all.<namespace>.svc .<instance name>-<site name>-www-all.<namespace>.svc .<instance name>-<site name>-db-all.<namespace>.svc.cluster.local .<instance name>-<site name>-www-all.<namespace>.svc.cluster.local .<namespace>.svc.cluster.local <instance name>-db`
`dbServerCertificate`	Server	Management
`pgBouncerServerCertificate`	Server	Management
`PGOTLSCertificate`	Server	Management
`NATSTLSCertificate`	Server	Management
`dbClientPostgres`	Client	Management
`dbClientReplicator`	Client	Management
`dbClientPgbouncer`	Client	Management
`dbClientApicuser`	Client	Management
`dbClientPrimaryuser`	Client	Management

Several certificates as noted above are required to be signed by the same CA as another certificate. For example, portal-admin-client, and portal-admin. This means that if the portal-admin-client certificate were to be customized, then the portal-admin certificate must also be customized, and signed by the same CA as portal-admin-client. To ensure that pairs of certificates like these are signed by the same CA, the Issuer for each certificate must be the same.