List of intra-subsystem certificates
A summary of certificates used for communications within subsystems in an API Connect deployment.
APIConnectCluster
instance name. For example, the certificate
managment-ca
is called <apic instance
name>-mgmt-ca
.Table 1 presents a list of certificates used for communications between pods in the same subsystem. The certificates are managed by cert-manager. For details of all the API Connect certificates, see API Connect certificates.
Certificate name | Issuer | Description |
---|---|---|
management-ca or mgmt-ca |
selfsigning-issuer |
The issuer for the management subsystems intra-subsystem certificates:
management-client, management-server, postgres, and nats certificates. Communication between
management subsystem pods fails if there is a problem with this certificate. This certificate is
also used as the CA for REST API calls to the management subsystem from the other subsystems, when
using |
management-client or mgmt-client |
management-ca |
Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate. |
management-server or mgmt-server |
management-ca |
Server certificate used in communication between management subsystem
pods. Communication between management subsystem pods fails if there is a problem with this
certificate. Required DNS names within the SAN section are:
|
db-client-apicuser |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
db-client-postgres |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
natscluster-mgmt |
management-ca |
Intra-subsystem certificate for the nats
pods. |
analytics-ca or a7s-ca |
selfsigning-issuer |
The issuer for the analytics-client and
analytics-server certificates. Communication between analytics subsystem pods fails
if there is a problem with this certificate.If you update this certificate, you must then update
the
analytics-client and analytics-server server certificates, and
then ensure that the following pods are restarted:
|
analytics-client or a7s-client |
analytics-ca |
Client certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. If this certificate is updated, then the |
analytics-server or a7s-server |
analytics-ca |
Server certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. Required DNS names within the SAN section are:
If this certificate is updated, then the
|
portal-ca or ptl-ca |
selfsigning-issuer |
The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
portal-client or ptl-client |
portal-ca |
Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
portal-server or ptl-server |
portal-ca |
Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. Required DNS names within the SAN section are:
<instance name>
and <remote portal CR name> are truncated if more than 15 characters.This certificate is used by all portal pods. |