TLS certificates organized by usage

Certificates tables organized by where they are used.

Note: The API invocation certificate that callers to the published APIs on your gateways see is configured in the Cloud Manager UI when you register your gateway services. For more information about API invocation certificates, see Registering a gateway service and TLS profiles overview.
Table 1. Management to gateway communication
Certificate name Issuer Description
-ingress-ca selfsigning-issuer The CA and issuer of all API Connect inter-subsystem and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are inaccessible and unable to sync with each other.

Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal.

The ingress-ca certificate is also stored in the management subsystem database. It is visible from the Cloud Manager UI, in the truststores of the analytics, gateway, event gateway, and portal default TLS client profiles. When the management subsystem apim pod is restarted the certificate is reloaded into the database from the Kubernetes ingress-ca certificate. Do not attempt to update this certificate from the Cloud Manager UI.

If this certificate is updated, and you have a portal deployed, then restart the portal-www pods for the update to take effect.

gateway-client-client or gw-dr-client ingress-issuer

Client certificate for communications with the gateway service. Restart the apim and taskmanager pods after update. This certificate must have the same CA as the gwv6-manager-endpoint or gw-gateway-manager certificate on the gateway.

This certificate is loaded by the management subsystem into the Gateway management client TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the gateway, then create a new profile and specify it when you register the gateway service.

gwv6-manager-endpoint or gw-gateway-manager ingress-issuer

The gatewayManager endpoint certificate. This is the server certificate on the gateway director endpoint, which the management subsystem communicates with.

This certificate must be signed by the same CA as the gateway-client-client certificate on the management subsystem

If you update this certificate, then all gateway pods are restarted automatically.

wmapigateway-mgmt-client ingress-issuer Client certificate used for communication with the WM API Gateway subsystem
nano-gateway-mgmt-client ingress-issuer Client certificate used for the communication with the nano gateway subsystem
Table 2. Management to portal communication
Certificate name Issuer Description
-ingress-ca selfsigning-issuer The CA and issuer of all API Connect inter-subsystem and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are inaccessible and unable to sync with each other.

Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal.

The ingress-ca certificate is also stored in the management subsystem database. It is visible from the Cloud Manager UI, in the truststores of the analytics, gateway, event gateway, and portal default TLS client profiles. When the management subsystem apim pod is restarted the certificate is reloaded into the database from the Kubernetes ingress-ca certificate. Do not attempt to update this certificate from the Cloud Manager UI.

If this certificate is updated, and you have a portal deployed, then restart the portal-www pods for the update to take effect.

portal-admin-client or ptl-adm-client ingress-issuer
Client certificate used for communication with the portal subsystem on the portalAdminEndpoint. This certificate must have:
  • The same CA as the server certificate portal-admin or ptl-director on the portal subsystem.
  • The common name must match the spec.adminClientSubjectDN in the portal CR:
    kubectl describe cert portal-admin-client
    
    Spec:
      Common Name:  ptl-adm-client
    kubectl get ptl -o yaml
    
      spec:
        adminClientSubjectDN: CN=ptl-adm-client

For a two data center disaster recovery deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=portal-admin-client, or they could both be CN=ptl-adm-client, O=cert-manager, but they must be identical.

This certificate is loaded by the management subsystem into the Portal Director TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the portal, then create a new profile and specify it when you register the portal service.

portal-admin or ptl-director or portal-director ingress-issuer

Server certificate used on the portalAdminEndpoint. The management subsystem communicates with the portal subsystem on this endpoint. The corresponding client certificate used in the management to portal communication is the portal-admin-client certificate.

This certificate must have the same CA as the portal-admin-client certificate on the management subsystem.

This certificate is used by the portal-nginx pod.

devportal-admin-client ingress-issuer
Client certificate used for communication with the Developer Portal subsystem on the devportalAdminEndpoint. This certificate must have:
  • The same CA as the server certificate devportal-admin on the Developer Portal subsystem.
  • The common name must match the spec.adminClientSubjectDN in the Developer Portal CR:
    kubectl describe cert devportal-admin-client
    
    Spec:
      Common Name:  devportal-adm-client
    kubectl get devportal -o yaml
    
      spec:
        adminClientSubjectDN: CN=devportal-adm-client

For a two data center disaster recovery deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=devportal-admin-client, or they could both be CN=devportal-adm-client, O=cert-manager, but they must be identical.

This certificate is loaded by the management subsystem into the DevPortal Director TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the portal, then create a new profile and specify it when you Registering a Developer Portal subsystem.

Table 3. Management and gateway to analytics communication
Certificate name Issuer Description
-ingress-ca selfsigning-issuer The CA and issuer of all API Connect inter-subsystem and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are inaccessible and unable to sync with each other.

Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal.

The ingress-ca certificate is also stored in the management subsystem database. It is visible from the Cloud Manager UI, in the truststores of the analytics, gateway, event gateway, and portal default TLS client profiles. When the management subsystem apim pod is restarted the certificate is reloaded into the database from the Kubernetes ingress-ca certificate. Do not attempt to update this certificate from the Cloud Manager UI.

If this certificate is updated, and you have a portal deployed, then restart the portal-www pods for the update to take effect.

analytics-ingestion-client or a7s-ing-client ingress-issuer Client certificate used for communication with the analytics subsystem on the ingestion endpoint. This certificate must have:
  • The same CA as the server certificate analytics-ai-endpoint on the analytics subsystem.
  • The common name must match the spec.clientSubjectDN in the analytics CR:
    kubectl describe cert analytics-admin-client
    
    Spec:
      Common Name:  a7s-ing-client
    kubectl get a7s -o yaml
    
      spec:
        clientSubjectDN: CN=a7s-ing-client

To update this certificate, use kubectl. Restart the apim, taskmanager, and analytics-proxy pods after the update. This certificate is also used by the gateways for sending API events to the analytics subsystem. The updated certificate is sent by the management subsystem to the gateways, it is not necessary to restart any gateway pods.

This certificate is loaded by the management subsystem into the Analytics ingestion TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the analytics subsystem, then create a new profile and specify it when you register the analytics service.

analytics-ai-endpoint or a7s-ai-endpoint ingress-issuer

Server certificate used on the analytics ingestion endpoint in the mtls-gw pod. Management and gateway subsystems communicate with the analytics subsystem on this endpoint. The client certificates that are used by the management and gateway subsystems must use the same CA certificate as the analytics-ai-endpoint certificate.

If this certificate is updated, restart the mtls-gw pod for the update to take effect.

Table 4. Management to Federated API Management communication
Certificate name Issuer Description
-ingress-ca selfsigning-issuer The CA and issuer of all API Connect inter-subsystem and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are inaccessible and unable to sync with each other.

Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal.

The ingress-ca certificate is also stored in the management subsystem database. It is visible from the Cloud Manager UI, in the truststores of the analytics, gateway, event gateway, and portal default TLS client profiles. When the management subsystem apim pod is restarted the certificate is reloaded into the database from the Kubernetes ingress-ca certificate. Do not attempt to update this certificate from the Cloud Manager UI.

If this certificate is updated, and you have a portal deployed, then restart the portal-www pods for the update to take effect.

federatedapimanagement-admin-client ingress-issuer

The client certificate is used for communication with the Federated API Management subsystem through the admin endpoint. After you update the certificate, restart the apim and taskmanager pods. When the apim pod restarts, re-publish the federated API management settings in Cloud Manager.

The management subsystem loads this certificate into the Federated API Management Admin TLS client profile, which you can view in the Cloud Manager user interface. For more information, see TLS profiles overview.

Table 5. User-facing certificates
Certificate name Issuer Description
api-endpoint or mgmt-platform-api ingress-issuer Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI.
consumer-endpoint or mgmt-consumer-api ingress-issuer Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI.
consumer-catalog-endpoint ingress-issuer Consumer catalog endpoint server certificate.
apim-endpoint or mgmt-api-manager ingress-issuer API Manager UI server certificate.
cm-endpoint or mgmt-admin ingress-issuer Cloud Manager UI server certificate.
portal-web ingress-issuer

The server certificate used on the portalUIEndpoint. It is the server certificate that is presented to portal site users, and which their browser authenticates. If there is a problem with this certificate, then users see an error message about an invalid or insecure certificate in their browser when they access a portal site.

The default portal-web certificate is issued by the ingress-issuer, which has a self-signed root certificate. Portal users might see a browser warning about use of a self-signed certificate.

This certificate is used by the portal-web ingress (portal-web route on OpenShift®).

hub-endpoint ingress-issuer Used by the Automated API behavior testing application. User-facing server certificate for the hub-endpoint. If there is a problem with this certificate, then the user's browser shows a warning or error message.
devportal-ai-endpoint ingress-issuer

Server certificate used on the Developer Portal ingestion endpoint in the mtls-gw pod. Management and gateway subsystems communicate with the Developer Portal subsystem on this endpoint. The client certificates that are used by the management and gateway subsystems must use the same CA certificate as the devportal-ai-endpoint certificate.

If this certificate is updated, restart the mtls-gw pod for the update to take effect.

fam-admin-endpoint ingress-issuer The server certificate used for MTLS communication with Federated API Management admin endpoint.
fam-ui-endpoint ingress-issuer Certificated used for Federated API Management UI endpoint.
wmapigateway-ui-tls-secret ingress-issuer Certificated used for WM API Gateway UI endpoint
wmapigateway-gw-tls-secret ingress-issuer Certificated used for WM API Gateway REST endpoint
gateway-proxy-endpoint ingress-issuer Certificated used for nano gateway REST endpoint
Table 6. Inter-subsystem certificates
Certificate name Issuer Description
-ingress-ca selfsigning-issuer The CA and issuer of all API Connect inter-subsystem and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are inaccessible and unable to sync with each other.

Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal.

The ingress-ca certificate is also stored in the management subsystem database. It is visible from the Cloud Manager UI, in the truststores of the analytics, gateway, event gateway, and portal default TLS client profiles. When the management subsystem apim pod is restarted the certificate is reloaded into the database from the Kubernetes ingress-ca certificate. Do not attempt to update this certificate from the Cloud Manager UI.

If this certificate is updated, and you have a portal deployed, then restart the portal-www pods for the update to take effect.

analytics-ingestion-client or a7s-ing-client ingress-issuer Client certificate used for communication with the analytics subsystem on the ingestion endpoint. This certificate must have:
  • The same CA as the server certificate analytics-ai-endpoint on the analytics subsystem.
  • The common name must match the spec.clientSubjectDN in the analytics CR:
    kubectl describe cert analytics-admin-client
    
    Spec:
      Common Name:  a7s-ing-client
    kubectl get a7s -o yaml
    
      spec:
        clientSubjectDN: CN=a7s-ing-client

To update this certificate, use kubectl. Restart the apim, taskmanager, and analytics-proxy pods after the update. This certificate is also used by the gateways for sending API events to the analytics subsystem. The updated certificate is sent by the management subsystem to the gateways, it is not necessary to restart any gateway pods.

This certificate is loaded by the management subsystem into the Analytics ingestion TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the analytics subsystem, then create a new profile and specify it when you register the analytics service.

portal-admin-client or ptl-adm-client ingress-issuer
Client certificate used for communication with the portal subsystem on the portalAdminEndpoint. This certificate must have:
  • The same CA as the server certificate portal-admin or ptl-director on the portal subsystem.
  • The common name must match the spec.adminClientSubjectDN in the portal CR:
    kubectl describe cert portal-admin-client
    
    Spec:
      Common Name:  ptl-adm-client
    kubectl get ptl -o yaml
    
      spec:
        adminClientSubjectDN: CN=ptl-adm-client

For a two data center disaster recovery deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=portal-admin-client, or they could both be CN=ptl-adm-client, O=cert-manager, but they must be identical.

This certificate is loaded by the management subsystem into the Portal Director TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the portal, then create a new profile and specify it when you register the portal service.

gateway-client-client or gw-dr-client ingress-issuer

Client certificate for communications with the gateway service. Restart the apim and taskmanager pods after update. This certificate must have the same CA as the gwv6-manager-endpoint or gw-gateway-manager certificate on the gateway.

This certificate is loaded by the management subsystem into the Gateway management client TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the gateway, then create a new profile and specify it when you register the gateway service.

api-endpoint or mgmt-platform-api ingress-issuer Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI.
consumer-endpoint or mgmt-consumer-api ingress-issuer Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI.
apim-endpoint or mgmt-api-manager ingress-issuer API Manager UI server certificate.
cm-endpoint or mgmt-admin ingress-issuer Cloud Manager UI server certificate.
hub-endpoint ingress-issuer Used by the Automated API behavior testing application. User-facing server certificate for the hub-endpoint. If there is a problem with this certificate, then the user's browser shows a warning or error message.
management-s3proxy-all ingress-issuer Inter-subsystem certificate for communication between management subsystem and s3proxy pods. Used for management database local and SFTP backups.
analytics-ai-endpoint or a7s-ai-endpoint ingress-issuer

Server certificate used on the analytics ingestion endpoint in the mtls-gw pod. Management and gateway subsystems communicate with the analytics subsystem on this endpoint. The client certificates that are used by the management and gateway subsystems must use the same CA certificate as the analytics-ai-endpoint certificate.

If this certificate is updated, restart the mtls-gw pod for the update to take effect.

portal-admin or ptl-director or portal-director ingress-issuer

Server certificate used on the portalAdminEndpoint. The management subsystem communicates with the portal subsystem on this endpoint. The corresponding client certificate used in the management to portal communication is the portal-admin-client certificate.

This certificate must have the same CA as the portal-admin-client certificate on the management subsystem.

This certificate is used by the portal-nginx pod.

portal-web ingress-issuer

The server certificate used on the portalUIEndpoint. It is the server certificate that is presented to portal site users, and which their browser authenticates. If there is a problem with this certificate, then users see an error message about an invalid or insecure certificate in their browser when they access a portal site.

The default portal-web certificate is issued by the ingress-issuer, which has a self-signed root certificate. Portal users might see a browser warning about use of a self-signed certificate.

This certificate is used by the portal-web ingress (portal-web route on Red Hat OpenShift).

gateway-peering or gw-peer ingress-issuer

This certificate secures the communication between gateways in your gateway cluster.

If you update this certificate, then restart your gateway pods. See Changing the secret for gateway peering.

gwv6-endpoint or gw-gateway ingress-issuer Legacy certificate that is not used.
gateway-service or gw-svc ingress-issuer Legacy certificate that is not used.
gwv6-manager-endpoint or gw-gateway-manager ingress-issuer

The gatewayManager endpoint certificate. This is the server certificate on the gateway director endpoint, which the management subsystem communicates with.

This certificate must be signed by the same CA as the gateway-client-client certificate on the management subsystem

If you update this certificate, then all gateway pods are restarted automatically.

event-gateway-management-client ingress-issuer The event-gateway-management-client certificate exists only on Cloud Pak for Integration deployments.
federatedapimanagement-admin-client ingress-issuer

The client certificate is used for communication with the Federated API Management subsystem through the admin endpoint. After you update the certificate, restart the apim and taskmanager pods. When the apim pod restarts, re-publish the federated API management settings in Cloud Manager.

The management subsystem loads this certificate into the Federated API Management Admin TLS client profile, which you can view in the Cloud Manager user interface. For more information, see TLS profiles overview.

devportal-admin-client ingress-issuer
Client certificate used for communication with the Developer Portal subsystem on the devportalAdminEndpoint. This certificate must have:
  • The same CA as the server certificate devportal-admin on the Developer Portal subsystem.
  • The common name must match the spec.adminClientSubjectDN in the Developer Portal CR:
    kubectl describe cert devportal-admin-client
    
    Spec:
      Common Name:  devportal-adm-client
    kubectl get devportal -o yaml
    
      spec:
        adminClientSubjectDN: CN=devportal-adm-client

For a two data center disaster recovery deployment, both data centers must have an identical subject name. For example, both data centers subject name could be CN=devportal-admin-client, or they could both be CN=devportal-adm-client, O=cert-manager, but they must be identical.

This certificate is loaded by the management subsystem into the DevPortal Director TLS client profile that you can see in the Cloud Manager UI (see TLS profiles). If you want the management subsystem to present a different client certificate to the portal, then create a new profile and specify it when you Registering a Developer Portal subsystem.

devportal-wmapigateway-client ingress-issuer Client certificate used Developer Portal subsystem to communicate with WM API Gateway subsystem
wmapigateway-devportal-client ingress-issuer Client certificate used WM API Gateway subsystem to communicate with Developer Portal subsystem
Table 7. Intra-subsystem certificates
Certificate name Issuer Description
management-ca or mgmt-ca selfsigning-issuer The issuer for the management subsystems intra-subsystem certificates: management-client, management-server, postgres, and nats certificates. Communication between management subsystem pods fails if there is a problem with this certificate.

This certificate is also used as the CA for REST API calls to the management subsystem from the other subsystems, when using in-cluster communication. See In-cluster service communication between subsystems

management-client or mgmt-client management-ca Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate.
management-server or mgmt-server management-ca Server certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate.
Required DNS names within the SAN section are:
*.<namespace>
*.<namespace>.svc
*.<namespace>.svc.cluster.local
*.<instance name>-server.<namespace>.svc
*.<instance name>-server.<namespace>.svc.cluster.local
<instance name>-server
db-client-apicuser management-ca Intra-subsystem certificate for the management database subsystem.
db-client-postgres management-ca Intra-subsystem certificate for the management database subsystem.
natscluster-mgmt management-ca Intra-subsystem certificate for the nats pods.
analytics-ca or a7s-ca selfsigning-issuer The issuer for the analytics-client and analytics-server certificates. Communication between analytics subsystem pods fails if there is a problem with this certificate.
If you update this certificate, you must then update the analytics-client and analytics-server server certificates, and then ensure that the following pods are restarted:
  • storage- Restarts automatically.
  • warehouse- Restarts automatically.
  • ingestion- Restarts automatically.
  • director- Restart manually.
analytics-client or a7s-client analytics-ca Client certificate used in communication between analytics subsystem pods. Communication between analytics subsystem pods fails if there is a problem with this certificate.

If this certificate is updated, then the storage, warehouse and the ingestion pods restart automatically. You must manually restart the director pod.

analytics-server or a7s-server analytics-ca Server certificate used in communication between analytics subsystem pods. Communication between analytics subsystem pods fails if there is a problem with this certificate.
Required DNS names within the SAN section are:
*.<namespace>
*.<namespace>.svc
*.<namespace>.svc.cluster.local
*.<instance name>-server.<namespace>.svc
*.<instance name>-server.<namespace>.svc.cluster.local
<instance name>-server
<instance name>-storage
<instance name>-director
<instance name>-ingestion
<instance name>-mtls-gw
<instance name>-storage-os-master
<instance name>-warehouse

If this certificate is updated, then the storage, warehouse and ingestion pods restart automatically. Manually restart the director pod.

portal-ca or ptl-ca selfsigning-issuer

The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate.

This certificate is used by all portal pods.

portal-client or ptl-client portal-ca

Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate.

This certificate is used by all portal pods.

portal-server or ptl-server portal-ca

Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate.

Required DNS names within the SAN section are:
*.<namespace>
*.<namespace>.svc
*.<namespace>.svc.cluster.local
*.<instance name>-server.<namespace>.svc
*.<instance name>-server.<namespace>.svc.cluster.local
<instance name>-server
*.<instance name>-<site name>-db-all.<namespace>.svc
*.<instance name>-<site name>-www-all.<namespace>.svc
*.<instance name>-<site name>-db-all.<namespace>.svc.cluster.local
*.<instance name>-<site name>-www-all.<namespace>.svc.cluster.local
*.<namespace>.svc.cluster.local
<instance name>-db
<instance name>is truncated if more than 15 characters.

This certificate is used by all portal pods.

devportal-ai-endpoint ingress-issuer

Server certificate used on the Developer Portal ingestion endpoint in the mtls-gw pod. Management and gateway subsystems communicate with the Developer Portal subsystem on this endpoint. The client certificates that are used by the management and gateway subsystems must use the same CA certificate as the devportal-ai-endpoint certificate.

If this certificate is updated, restart the mtls-gw pod for the update to take effect.

devportal-ca selfsigning-issuer The issuer for the devportal-client and devportal-server certificates. Communication between the Developer Portal subsystem pods fails if there is a problem with this certificate.
If you update this certificate, you must then update the devportal-client and devportal-server server certificates, and then ensure that the following pods are restarted:
  • storage- Restarts automatically.
  • warehouse- Restarts automatically.
  • ingestion- Restarts automatically.
  • director- Restart manually.
devportal-client devportal-ca Client certificate used in communication between the Developer Portal subsystem pods. Communication between the Developer Portal subsystem pods fails if there is a problem with this certificate.

If this certificate is updated, then the storage, warehouse and the ingestion pods restart automatically. You must manually restart the director pod.

devportal-server devportal-ca Server certificate used in communication between the Developer Portal subsystem pods. Communication between the Developer Portal subsystem pods fails if there is a problem with this certificate.
Required DNS names within the SAN section are:
*.<namespace>
*.<namespace>.svc
*.<namespace>.svc.cluster.local
*.<instance name>-server.<namespace>.svc
*.<instance name>-server.<namespace>.svc.cluster.local
<instance name>-server
<instance name>-storage
<instance name>-director
<instance name>-ingestion
<instance name>-mtls-gw
<instance name>-storage-os-master
<instance name>-warehouse

If this certificate is updated, then the storage, warehouse and ingestion pods restart automatically. Manually restart the director pod.

fam-server fam-ca Server certificate used in communication between Federated API Management subsystem pods. Communication between Federated API Management subsystem pods fails if there is a problem with this certificate.
Required DNS names within the SAN section are:
*.<namespace>
*.<namespace>.svc
*.<instance name>-server.<namespace>.svc
<instance name>-server
*.<namespace>.svc.cluster.local
*.<instance name>-server.<namespace>.svc.cluster.local
<instance name>-ingress
<instance name>-asset-catalog
<instance name>-metrics-processor

If this certificate is updated, then the storage, warehouse and ingestion pods restart automatically. Manually restart the director pod.

wmapigateway-ca selfsigning-issuer he issuer for the WM API Gateway subsystems intra-subsystem certificates
wmapigateway-client wmapigateway-ca Client certificate used in communication between WM API Gateway subsytem pods
wmapigateway-server wmapigateway-ca Server certificate used in communication between WM API Gateway subsytem pods
wmapigateway-mgmt-tls-secret ingress-issuer TLS certificate for the WM API Gateway proxy endpoint
ngw-ca selfsigning-issuer The issuer for the nano gateway subsystems intra-subsystem certificates
ngw-client ngw-ca Client certificate used in communication between nano gateway subsystem pods
ngw-server ngw-ca Server certificate used in communication between nano gateway subsystem pods
ngw-nanogw-analytics-collector-client ngw-ca Client certificate that is used by nano gateway to talk to the analytics collector service
ngw-nanogw-analytics-collector-server ngw-ca Server certificate used by analytics collector service to startup