Extracting and copying certificates

How to extract certificate contents and apply them to API Connect subsystems in other environments.

If you have a two data center disaster recovery deployment, or have API Connect subsystems in different data centers that are managed by different project directories, then it is necessary to manually synchronize the TLS certificates between the environments.

Synchronizing the ingress-ca certificate

To export the ingress-ca certificate from your target environment, follow these steps:
  1. Extract the ingress-ca public certificate to a file called ingress-ca-cert.pem
    apicup certs get <subsystem> ingress-ca > ingress-ca-cert.pem
  2. Extract the ingress-ca private key to a file called ingress-ca-key.pem
    apicup certs get <subsystem> ingress-ca -t key > ingress-ca-key.pem
  3. Extract the ingress-ca CA to a file called ingress-ca-CA.pem
    apicup certs get <subsystem> ingress-ca -t ca > ingress-ca-CA.pem
Note: The ingress-ca certificate is the same for all subsystems that are managed from the same project directory, so you can specify any subsystem in the apicup certs get command.
To apply the exported ingress-ca certificate to another environment, follow these steps:
  1. Apply the exported certificate files to the ingress-ca:
    apicup certs set <subsystem> ingress-ca ingress-ca-cert.pem ingress-ca-key.pem ingress-ca-CA.pem
    Note: The ingress-ca certificate is the same for all subsystems that are managed from the same project directory, so you can specify any subsystem in the apicup certs set command.
  2. Clear all the ingress end-entity certificates that are signed by ingress-ca:
    apicup certs set --clear <subsystem> <certificate name>
    For a list of the ingress certificates, see Ingress certificates.
  3. Generate new ingress end-entity certificates for each subsystem:
    apicup certs generate <subsystem>
  4. Apply the updated certificates to all subsystems:
    apicup subsystem install <subsystem>