API Connect TLS certificate best practices

Best practices for configuring and managing TLS certificates in an API Connect deployment on VMware.

API Connect generates TLS certificates during installation that are used to secure all network communication to, from, and within your API Connect deployment.

The TLS server certificates that secure the user-facing endpoints of your API Connect deployment can be replaced with your own organization's certificates. For example, if you want portal users to see your organization's certificate instead of the auto-generated API Connect certificate, you can update the certificate that secures the portal-www endpoint to use your own certificate.

If more than one endpoint is set to the same host, the certificates associated with the endpoints should be set to the same.

If you replace default certificates with your own certificates, then you are responsible for maintaining those certificates. They must meet the requirements defined in Table 1, and you must renew them before they expire.

The following table lists all the user-facing certificates in API Connect:
Table 1. User-facing endpoint certificates.
Certificate name Description
portal-www-ingress

The portal-www-ingress certificate is a user-facing ingress certificate that is returned to users when they attempt to access developer portal sites.

The endpoint is called portal-www in the portal subsystem configuration.

api-manager-ui

The api-manager-ui certificate is a user-facing ingress certificate that is returned to users when they attempt to access the API Manager UI.

The endpoint in the management subsystem configuration uses the same name: api-manager-ui.

The hostnames for which the certificate is valid must include the api-manager-ui endpoint. A wildcard certificate can be used as the first element in a hostname, for example, if the endpoint is: store.acme.com, the certificate can be one that is valid for hostnames that match *.acme.com.

Requires EKU serverAuth.

cloud-admin-ui

The cloud-admin-ui certificate is a user-facing ingress certificate that is returned to users when they attempt to access the Cloud Manager UI.

The endpoint in the management subsystem configuration uses the same name: cloud-admin-ui.

The hostnames for which the certificate is valid must include the cloud-admin-ui endpoint. A wildcard certificate can be used as the first element in a hostname, for example, if the endpoint is: store.acme.com, the certificate can be one that is valid for hostnames that match *.acme.com.

Requires EKU serverAuth.

consumer-api

The consumer-api certificate is a user-facing ingress certificate that is returned to users when they attempt to access the API Connect REST API at organization scope.

The endpoint in the management subsystem configuration uses the same name: consumer-api

The hostnames for which the certificate is valid must include the consumer-api endpoint. A wildcard certificate can be used as the first element in a hostname, for example, if the endpoint is: store.acme.com, the certificate can be one that is valid for hostnames that match *.acme.com.

Requires EKU serverAuth.

platform-api

The platform-api certificate is a user-facing ingress certificate that is returned to users when they attempt to access the API Connect REST API at cloud scope.

The endpoint in the management subsystem configuration uses the same name: platform-api

The hostnames for which the certificate is valid must include the platform-api endpoint. A wildcard certificate can be used as the first element in a hostname, for example, if the endpoint is: store.acme.com, the certificate can be one that is valid for hostnames that match *.acme.com.

Requires EKU serverAuth.

hub

Used by the Automated API behavior testing application. User-facing ingress certificate for the hub-endpoint.

Note: The API invocation certificate (the certificate that is presented to callers of your APIs) is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.
Note: For more information about the non-user facing certificates used in API Connect, see TLS certificate concepts and operations