Generating custom certificates using cert-manager

Generate custom certificates using cert-manager.

About this task

If you do not have your own custom certificates that you can provide for the installation, you can prepare a YAML file with certificate definitions that cert-manager can use to generate the required certificates.
Note: The API invocation certificate that callers to the published APIs on your gateways see is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.

Procedure

  1. Download and install cert-manager v1.12.13 from https://github.com/cert-manager/cert-manager/releases/tag/v1.12.13.
  2. Open the helper_files/custom-certs-external.yaml in an editor.
    To locate the custom-certs-external.yaml file, see Obtaining product files.
  3. In custom-certs-external.yaml, replace all instances of example.com with the domain for your API Connect deployment.
  4. Apply the custom-certs-external.yaml file in your API Connect namespace.
    kubectl -n <namespace> apply -f custom-certs-external.yaml
  5. Optional: If you want to customize the internal certificates with cert-manager, then follow these steps.
    Note: It is not recommended to customize internal certificates because it adds complexity and increases the maintenance overhead of your API Connect deployment. It is not possible to customize a subset of the internal certificates in a subsystem CR. If you want to customize any of the internal certificates in a subsystem CR, then you must customize them all.

    Use the custom-certs-internal.yaml file, which can be found in the helper_files installation archive. For more information, see Obtaining product files.

    1. Decide on a site name for your management subsystem. The db-server-certificate requires a site-name. Update the custom-certs-internal.yaml file with your site name and namespace.
    2. Apply the updated custom-certs-internal.yaml file in your API Connect namespace:
      kubectl -n <namespace> apply -f custom-certs-internal.yaml
  6. Verify that the certificates and their corresponding secrets were created:
    kubectl -n <namespace> get certificate
    kubectl -n <namespace> get secret

What to do next

Configure your subsystem CR YAML files to use your custom certificates: Deploying API Connect subsystems with custom certificates.