TLS certificates organized by usage
Certificates tables organized by where they are used.
Certificate name | Issuer | Description |
---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem In 2DCDR deployments, and when you have subsystems in different namespaces, it is necessary to manually copy the ingress-ca certificate from the management subsystem to the other subsystems. Steps are provided in the 2DCDR and multi-namespace install sections of this documentation. If this certificate is updated, and you have a portal
deployed, then restart the |
gateway-client-client or gw-dr-client |
ingress-issuer |
Client certificate for communications with the gateway service. Restart the This certificate is loaded by the management subsystem into the |
gwv6-manager-endpoint or gw-gateway-manager |
ingress-issuer |
The This certificate must be signed by the same CA as the If you update this certificate, then all gateway pods are restarted automatically. |
Certificate name | Issuer | Description |
---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem In 2DCDR deployments, and when you have subsystems in different namespaces, it is necessary to manually copy the ingress-ca certificate from the management subsystem to the other subsystems. Steps are provided in the 2DCDR and multi-namespace install sections of this documentation. If this certificate is updated, and you have a portal
deployed, then restart the |
portal-admin-client or ptl-adm-client |
ingress-issuer |
Client certificate used for communication with the portal subsystem on the
portalAdminEndpoint . This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
portal-admin or ptl-director or portal-director |
ingress-issuer |
Server certificate used on the This certificate must have the same CA as the This certificate is used by the |
Certificate name | Issuer | Description |
---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem In 2DCDR deployments, and when you have subsystems in different namespaces, it is necessary to manually copy the ingress-ca certificate from the management subsystem to the other subsystems. Steps are provided in the 2DCDR and multi-namespace install sections of this documentation. If this certificate is updated, and you have a portal
deployed, then restart the |
analytics-ingestion-client or a7s-ing-client |
ingress-issuer |
Client certificate used for communication with the analytics subsystem on the ingestion
endpoint. This certificate must have:
For a two data center disaster recovery
deployment, both data centers must have an identical subject name. For example, both data centers
subject name could be To
update this certificate, use kubectl. Restart the This certificate is loaded by the management subsystem into the
|
analytics-ai-endpoint or a7s-ai-endpoint |
ingress-issuer |
Server certificate used on the analytics ingestion endpoint, in the If this certificate is updated, restart the |
Certificate name | Issuer | Description |
---|---|---|
api-endpoint or mgmt-platform-api |
ingress-issuer |
Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI. |
consumer-endpoint or mgmt-consumer-api |
ingress-issuer |
Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI. |
consumer-catalog |
ingress-issuer |
Consumer catalog endpoint server certificate. |
apim-endpoint or mgmt-api-manager |
ingress-issuer |
API Manager UI server certificate. |
cm-endpoint or mgmt-admin |
ingress-issuer |
Cloud Manager UI server certificate. |
portal-web |
ingress-issuer |
The server certificate used on the The default This certificate is used by the |
hub-endpoint |
ingress-issuer |
Used by the Automated API behavior testing
application. User-facing server certificate for the hub-endpoint . If there is a
problem with this certificate, then the user's browser shows a warning or error message. |
Certificate name | Issuer | Description |
---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem In 2DCDR deployments, and when you have subsystems in different namespaces, it is necessary to manually copy the ingress-ca certificate from the management subsystem to the other subsystems. Steps are provided in the 2DCDR and multi-namespace install sections of this documentation. If this certificate is updated, and you have a portal
deployed, then restart the |
analytics-ingestion-client or a7s-ing-client |
ingress-issuer |
Client certificate used for communication with the analytics subsystem on the ingestion
endpoint. This certificate must have:
For a two data center disaster recovery
deployment, both data centers must have an identical subject name. For example, both data centers
subject name could be To
update this certificate, use kubectl. Restart the This certificate is loaded by the management subsystem into the
|
portal-admin-client or ptl-adm-client |
ingress-issuer |
Client certificate used for communication with the portal subsystem on the
portalAdminEndpoint . This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
gateway-client-client or gw-dr-client |
ingress-issuer |
Client certificate for communications with the gateway service. Restart the This certificate is loaded by the management subsystem into the |
api-endpoint or mgmt-platform-api |
ingress-issuer |
Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI. |
consumer-endpoint or mgmt-consumer-api |
ingress-issuer |
Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI. |
apim-endpoint or mgmt-api-manager |
ingress-issuer |
API Manager UI server certificate. |
cm-endpoint or mgmt-admin |
ingress-issuer |
Cloud Manager UI server certificate. |
mgmt-replication-client |
ingress-issuer |
2DCDR deployments
only. Client certificate used in the warm-standby data center's
<remote-sitename>-postgres pod to connect to the active data
center. |
mgmt-replication-server |
ingress-issuer |
2DCDR deployments
only. Server certificate used in the active data center's <management_CR>-tunnel
pod.This certificate must contain the DNS Subject Alternative Name of this data center's hostname
and must be valid for the |
hub-endpoint |
ingress-issuer |
Used by the Automated API behavior testing
application. User-facing server certificate for the hub-endpoint . If there is a
problem with this certificate, then the user's browser shows a warning or error message. |
management-s3proxy-all |
ingress-issuer |
Inter-subsystem certificate for communication between management subsystem and s3proxy pods. Used for management database local and SFTP backups. |
analytics-ai-endpoint or a7s-ai-endpoint |
ingress-issuer |
Server certificate used on the analytics ingestion endpoint, in the If this certificate is updated, restart the |
portal-admin or ptl-director or portal-director |
ingress-issuer |
Server certificate used on the This certificate must have the same CA as the This certificate is used by the |
portal-web |
ingress-issuer |
The server certificate used on the The default This certificate is used by the |
ptl-replication-client |
ingress-issuer |
2DCDR deployments only.
Client certificate that is used in the warm-standby data center's
This certificate is used by all the portal pods related to 2DCDR replication:
|
ptl-replication-server |
ingress-issuer |
2DCDR deployments only.
Server certificate used in the active data center's This certificate must contain the DNS Subject Alternative Name of this data center's hostname and
must be valid for the This certificate is used by all the portal pods related to 2DCDR replication:
|
gateway-peering or gw-peer |
ingress-issuer |
This certificate secures the communication between gateways in your gateway cluster. If you update this certificate, then restart your gateway pods. See Changing the secret for gateway peering. |
gwv6-endpoint or gw-gateway |
ingress-issuer |
Legacy certificate that is not used. |
gateway-service or gw-svc |
ingress-issuer |
Legacy certificate that is not used. |
gwv6-manager-endpoint or gw-gateway-manager |
ingress-issuer |
The This certificate must be signed by the same CA as the If you update this certificate, then all gateway pods are restarted automatically. |
event-gateway-management-client |
ingress-issuer |
The event-gateway-management-client certificate exists only on Cloud Pak for Integration deployments. |
Certificate name | Issuer | Description |
---|---|---|
management-ca or mgmt-ca |
selfsigning-issuer |
The issuer for the management subsystems intra-subsystem certificates:
management-client, management-server, postgres, and nats certificates. Communication between
management subsystem pods fails if there is a problem with this certificate. This certificate is
also used as the CA for REST API calls to the management subsystem from the other subsystems, when
using |
management-client or mgmt-client |
management-ca |
Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate. |
management-server or mgmt-server |
management-ca |
Server certificate used in communication between management subsystem
pods. Communication between management subsystem pods fails if there is a problem with this
certificate. Required DNS names within the SAN section are:
|
db-client-apicuser |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
db-client-postgres |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
natscluster-mgmt |
management-ca |
Intra-subsystem certificate for the nats
pods. |
analytics-ca or a7s-ca |
selfsigning-issuer |
The issuer for the analytics-client and
analytics-server certificates. Communication between analytics subsystem pods fails
if there is a problem with this certificate.If you update this certificate, you must then update
the
analytics-client and analytics-server server certificates, and
then ensure that the following pods are restarted:
|
analytics-client or a7s-client |
analytics-ca |
Client certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. If this certificate is updated, then the |
analytics-server or a7s-server |
analytics-ca |
Server certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. Required DNS names within the SAN section are:
If this certificate is updated, then the
|
portal-ca or ptl-ca |
selfsigning-issuer |
The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
portal-client or ptl-client |
portal-ca |
Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
portal-server or ptl-server |
portal-ca |
Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. Required DNS names within the SAN section are:
<instance name>
and <remote portal CR name> are truncated if more than 15 characters.This certificate is used by all portal pods. |