Customizing user-facing certificates

Convert a user-facing certificate that was generated by cert-manager to a custom certificate for an existing IBM® API Connect deployment.

The API Connect user-facing certificates are the server certificates that are presented to users of API Connect's external interfaces.

The server certificates are:
  • The certificate the user's browser receives when it makes a connection to the:
    • Cloud Manager UI.
    • API Manager UI.
    • Developer portal sites.
  • The certificate that is presented to callers of the API Connect platform and consumer REST APIs. The toolkit CLI uses the same REST APIs, and so is presented with the same certificates.
  • The API invocation certificate. The certificate presented to callers of your published APIs. This certificate can be different on each gateway.
Remember: As per the DNS specification, wildcard certificates apply only to one level of subdomain and not more than that. For example, a certificate for *.example.com is not valid for foo.bar.example.com.

See the full list of user-facing certificates in User-facing certificates.

Note: The API invocation certificate that callers to the published APIs on your gateways see is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.
To replace the certificates for your management and portal UIs and for your management REST API endpoints, follow these steps:
  1. Create the secrets that you want to use for each user-facing endpoint with the kubectl create secret command.
  2. Edit the subsystem CR, and make the following changes for the endpoint secret you want to change:
    • In the annotations section, remove the following line:
      cert-manager.io/issuer: ingress-issuer
    • In the hosts section, update the secretName to the new secret that you created in step 1.

    The following example shows where to make the updates:

    spec:
      <endpoint>
        annotations:
          cert-manager.io/issuer: ingress-issuer REMOVE THIS LINE
        hosts:
        - name: <api endpoint hostname>
          secretName: REPLACE WITH YOUR SECRET
Note: By default, the secret name is identical to the cert-name. Do not create replacement custom secrets with the same name as the default secrets.