Best practices for configuring and managing TLS certificates in an API Connect deployment
on VMware.
API Connect generates TLS
certificates during installation that are used to secure all network communication to, from, and
within your API Connect
deployment.
The TLS server certificates that secure the user-facing endpoints of your API Connect deployment can be
replaced with your own organization's certificates. For example, if you want portal users to see
your organization's certificate instead of the auto-generated API Connect certificate, you can
update the certificate that secures the portal-www
endpoint to use your own
certificate.
If more than one endpoint is set to the same host, the certificates associated with the endpoints
should be set to the same.
If you replace default certificates with your own certificates, then you are responsible for
maintaining those certificates. They must meet the requirements defined in Table 1, and you must renew them
before they expire.
The following table lists all the user-facing certificates in
API Connect:
Table 1. User-facing endpoint
certificates.
Certificate name |
Description |
portal-www-ingress |
The portal-www-ingress certificate is a user-facing ingress certificate that is
returned to users when they attempt to access developer portal sites.
The endpoint is called portal-www in the portal subsystem configuration.
|
api-manager-ui |
The api-manager-ui certificate is a user-facing ingress certificate that is
returned to users when they attempt to access the API
Manager UI.
The endpoint in the management subsystem configuration uses the same name:
api-manager-ui .
The hostnames for which the certificate is valid must include the api-manager-ui
endpoint. A wildcard certificate can be used as the first element in a hostname, for example, if the
endpoint is: store.acme.com, the certificate can be one that is valid for
hostnames that match *.acme.com.
Requires EKU serverAuth .
|
cloud-admin-ui |
The cloud-admin-ui certificate is a user-facing ingress certificate that is
returned to users when they attempt to access the Cloud
Manager UI.
The endpoint in the management subsystem configuration uses the same name:
cloud-admin-ui .
The hostnames for which the certificate is valid must include the cloud-admin-ui
endpoint. A wildcard certificate can be used as the first element in a hostname, for example, if the
endpoint is: store.acme.com, the certificate can be one that is valid for
hostnames that match *.acme.com.
Requires EKU serverAuth .
|
consumer-api |
The consumer-api certificate is a user-facing ingress certificate that is
returned to users when they attempt to access the API Connect
REST
API at organization scope.
The endpoint in the management subsystem configuration uses the same name:
consumer-api
The hostnames for which the certificate is valid must include the consumer-api
endpoint. A wildcard certificate can be used as the first element in a hostname, for example, if the
endpoint is: store.acme.com, the certificate can be one that is valid for
hostnames that match *.acme.com.
Requires EKU serverAuth .
|
platform-api |
The platform-api certificate is a user-facing ingress certificate that is
returned to users when they attempt to access the API Connect
REST
API at cloud scope.
The endpoint in the management subsystem configuration uses the same name:
platform-api
The hostnames for which the certificate is valid must include the platform-api
endpoint. A wildcard certificate can be used as the first element in a hostname, for example, if the
endpoint is: store.acme.com, the certificate can be one that is valid for
hostnames that match *.acme.com.
Requires EKU serverAuth .
|
hub |
Used by the Automated API behavior testing
application. User-facing ingress certificate for the hub-endpoint .
|
Note: The API
invocation certificate (the certificate that is presented to callers of your APIs) is configured in
the
Cloud
Manager UI when you register
your gateway services. For more information about API invocation certificates, see
Registering a gateway
service and
TLS profiles overview.