Custom certificates reference

API Connect supports custom certificates for each subsystem, and for internal communications.

Note: The API invocation certificate that callers to the published APIs on your gateways see is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.
Table 1. Certificates for the Management subsystem:
Certificate Type Notes
analytics-ingestion-client Common Subsystem Communication Must be signed by the same CA as analytics-ai-endpoint Certificate of Analytics Subsystem. For a two data center deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=a7s-ingestion-client, or they could both be CN=a7s-ingestion-client, O=cert-manager, but they must be identical.
portal-admin-client Common Subsystem Communication Must be signed by the same CA as portal-admin Certificate of Portal Subsystem. For a two data center deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=portal-admin-client, or they could both be CN=ptl-adm-client, O=cert-manager, but they must be identical.
gateway-client-client Common Subsystem Communication Must be signed by the same CA as gwv5-management-endpoint and/or gwv6-management-endpoint of Gateway Subsystem
cm-endpoint External Frontend/Ingress  
apim-endpoint External Frontend/Ingress  
api-endpoint External Frontend/Ingress  
consumer-endpoint External Frontend/Ingress  
hub-endpoint External Frontend/Ingress  
turnstile-endpoint External Frontend/Ingress  
Note:

To generate the certificates for the endpoints used by the Automated testing behavior endpoints (hub-endpoint and turnstile-endpoint), add the following statements to the custom-certs-external.yaml:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: hub-endpoint
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "hub-endpoint"
  }
spec:
  commonName: hub-endpoint 
  secretName: hub-endpoint 
  dnsNames:
  - hub.example.com
  issuerRef:
    name: ingress-issuer
  usages:
  - "server auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 720h # 30 days
  privateKey:
    rotationPolicy: Always
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: turnstile-endpoint
  labels: {
    app.kubernetes.io/instance: "management",
    app.kubernetes.io/managed-by: "ibm-apiconnect",
    app.kubernetes.io/name: "turnstile-endpoint"
  }
spec:
  commonName: turnstile-endpoint 
  secretName: turnstile-endpoint 
  dnsNames:
  - turnstile.example.com
  issuerRef:
    name: ingress-issuer
  usages:
  - "server auth"
  - "signing"
  - "key encipherment"
  duration: 17520h # 2 years
  renewBefore: 720h # 30 days
  privateKey:
    rotationPolicy: Always
Table 2. Certificates for Analytics Subsystem
Certificate Type Notes
analytics-ai-endpoint External Frontend/Ingress Must be signed by the same CA as analytics-ingestion-client Certificate of Management Subsystem
Table 3. Certificates for Gateway Subsystem
Certificate Type Notes
gwv5-endpoint External Frontend/Ingress  
gwv5-management-endpoint External Frontend/Ingress Must be signed by the same CA as gateway-client-client Certificate of Management Subsystem
gwv6-endpoint External Frontend/Ingress  
gwv6-management-endpoint External Frontend/Ingress Must be signed by the same CA as gateway-client-client Certificate of Management Subsystem
Table 4. Certificates for Portal Subsystem
Certificate Type Notes
portal-admin External Frontend/Ingress Must be signed by the same CA as portal-admin-client Certificate of Management Subsystem
portal-web External Frontend/Ingress  
Table 5. Internal Certificates
Certificate Type (CA/Server/Client) Subsystem Notes
caCertificate CA Management, Analytics, Portal  
clientCertificate Client Management, Analytics, Portal  
serverCertificate Server Management, Analytics, Portal
Portal DNS names required
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
*.<instance name>-<site name>-db-all.<namespace>.svc
*.<instance name>-<site name>-www-all.<namespace>.svc
*.<instance name>-<site name>-db-all.<namespace>.svc.cluster.local
*.<instance name>-<site name>-www-all.<namespace>.svc.cluster.local
*.<namespace>.svc.cluster.local
<instance name>-db
dbServerCertificate Server Management  
pgBouncerServerCertificate Server Management  
PGOTLSCertificate Server Management  
NATSTLSCertificate Server Management  
dbClientPostgres Client Management  
dbClientReplicator Client Management  
dbClientPgbouncer Client Management  
dbClientApicuser Client Management  
dbClientPrimaryuser Client Management  

Several certificates as noted above are required to be signed by the same CA as another certificate. For example, portal-admin-client, and portal-admin. This means that if the portal-admin-client certificate were to be customized, then the portal-admin certificate must also be customized, and signed by the same CA as portal-admin-client. To ensure that pairs of certificates like these are signed by the same CA, the Issuer for each certificate must be the same.