Customizing user-facing certificates
Convert a user-facing certificate that was generated by cert-manager to a custom certificate for an existing IBM® API Connect deployment.
The API Connect user-facing certificates are the server certificates that are presented to users of API Connect's external interfaces.
The server certificates are:
- The certificate the user's browser receives when it makes a connection to the:
- Cloud Manager UI.
- API Manager UI.
- Developer portal sites.
- The certificate that is presented to callers of the API Connect platform and consumer REST APIs. The toolkit CLI uses the same REST APIs, and so is presented with the same certificates.
- The API invocation certificate. The certificate presented to callers of your published APIs. This certificate can be different on each gateway.
Remember: As per the DNS specification, wildcard certificates apply only to one
level of subdomain and not more than that. For example, a certificate for
*.example.com
is not valid for foo.bar.example.com
.See the full list of user-facing certificates in User-facing certificates.
Note: The API invocation certificate that callers to the published APIs on
your gateways see is configured in the Cloud
Manager UI when you register your
gateway services. For more information about API invocation certificates, see Registering a gateway
service and TLS profiles overview.
To replace the certificates for your management and portal UIs and for your management REST API
endpoints, follow these steps:
- Create the secrets that you want to use for each user-facing endpoint with the
kubectl create secret
command. - Edit the subsystem CR, and make the following changes for the endpoint secret you want to change:
- In the
annotations
section, remove the following line:cert-manager.io/issuer: ingress-issuer
- In the
hosts
section, update thesecretName
to the new secret that you created in step 1.
The following example shows where to make the updates:
spec: <endpoint> annotations: cert-manager.io/issuer: ingress-issuer REMOVE THIS LINE hosts: - name: <api endpoint hostname> secretName: REPLACE WITH YOUR SECRET
- In the
Note: By default, the secret name is identical to the cert-name. Do not create replacement
custom secrets with the same name as the default secrets.