TLS certificates organized by usage
Certificates tables organized by where they are used.
| Certificate name | Issuer | Description |
|---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem If this certificate is updated, and you have a portal
deployed, then restart the |
gateway-client-client or gw-dr-client |
ingress-issuer |
Client certificate for communications with the gateway service. Restart the This certificate is loaded by the management subsystem into the |
gwv6-manager-endpoint or gw-gateway-manager |
ingress-issuer |
The This certificate must be signed by the same CA as the If you update this certificate, then all gateway pods are restarted automatically. |
wmapigateway-mgmt-client |
ingress-issuer |
Client certificate used for communication with the WM API Gateway subsystem |
nano-gateway-mgmt-client |
ingress-issuer |
Client certificate used for the communication with the nano gateway subsystem |
| Certificate name | Issuer | Description |
|---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem If this certificate is updated, and you have a portal
deployed, then restart the |
portal-admin-client or ptl-adm-client |
ingress-issuer |
Client certificate used for communication with the portal subsystem on the
portalAdminEndpoint. This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
portal-admin or ptl-director or portal-director |
ingress-issuer |
Server certificate used on the This certificate must have the same CA as the This certificate is used by the |
devportal-admin-client |
ingress-issuer |
Client certificate used for communication with the Developer Portal subsystem
on the
devportalAdminEndpoint. This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
| Certificate name | Issuer | Description |
|---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem If this certificate is updated, and you have a portal
deployed, then restart the |
analytics-ingestion-client or a7s-ing-client |
ingress-issuer |
Client certificate used for communication with the analytics subsystem on the ingestion
endpoint. This certificate must have:
To update this certificate, use kubectl.
Restart the This
certificate is loaded by the management subsystem into the |
analytics-ai-endpoint or a7s-ai-endpoint |
ingress-issuer |
Server certificate used on the analytics ingestion endpoint in the If this certificate is updated, restart the |
| Certificate name | Issuer | Description |
|---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem If this certificate is updated, and you have a portal
deployed, then restart the |
federatedapimanagement-admin-client |
ingress-issuer |
The client certificate is used for communication with the Federated API Management subsystem through
the admin endpoint. After you update the certificate, restart the The management subsystem loads this certificate into the Federated API Management Admin TLS client profile, which you can view in the Cloud Manager user interface. For more information, see TLS profiles overview. |
| Certificate name | Issuer | Description |
|---|---|---|
api-endpoint or mgmt-platform-api |
ingress-issuer |
Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI. |
consumer-endpoint or mgmt-consumer-api |
ingress-issuer |
Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI. |
consumer-catalog-endpoint |
ingress-issuer |
Consumer catalog endpoint server certificate. |
apim-endpoint or mgmt-api-manager |
ingress-issuer |
API Manager UI server certificate. |
cm-endpoint or mgmt-admin |
ingress-issuer |
Cloud Manager UI server certificate. |
portal-web |
ingress-issuer |
The server certificate used on the The default This certificate is used by the |
hub-endpoint |
ingress-issuer |
Used by the Automated API behavior testing
application. User-facing server certificate for the hub-endpoint. If there is a
problem with this certificate, then the user's browser shows a warning or error message. |
devportal-ai-endpoint |
ingress-issuer |
Server certificate used on the Developer Portal ingestion
endpoint in the If this certificate is updated, restart the |
fam-admin-endpoint |
ingress-issuer |
The server certificate used for MTLS communication with Federated API Management admin endpoint. |
fam-ui-endpoint |
ingress-issuer |
Certificated used for Federated API Management UI endpoint. |
wmapigateway-ui-tls-secret |
ingress-issuer |
Certificated used for WM API Gateway UI endpoint |
wmapigateway-gw-tls-secret |
ingress-issuer |
Certificated used for WM API Gateway REST endpoint |
gateway-proxy-endpoint |
ingress-issuer |
Certificated used for nano gateway REST endpoint |
| Certificate name | Issuer | Description |
|---|---|---|
-ingress-ca |
selfsigning-issuer |
The CA and issuer of all API Connect inter-subsystem
and user-facing certificates. If there is a problem with this certificate, then all API Connect subsystems are
inaccessible and unable to sync with each other. Update this certificate with kubectl. When updated, all child certificates must also be updated by deleting their corresponding secrets. See ingress-ca renewal. The ingress-ca certificate is also stored in the management subsystem
database. It is visible from the Cloud
Manager UI, in the truststores of the
analytics, gateway, event gateway, and portal default TLS client profiles. When the management
subsystem If this certificate is updated, and you have a portal
deployed, then restart the |
analytics-ingestion-client or a7s-ing-client |
ingress-issuer |
Client certificate used for communication with the analytics subsystem on the ingestion
endpoint. This certificate must have:
To update this certificate, use kubectl.
Restart the This
certificate is loaded by the management subsystem into the |
portal-admin-client or ptl-adm-client |
ingress-issuer |
Client certificate used for communication with the portal subsystem on the
portalAdminEndpoint. This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
gateway-client-client or gw-dr-client |
ingress-issuer |
Client certificate for communications with the gateway service. Restart the This certificate is loaded by the management subsystem into the |
api-endpoint or mgmt-platform-api |
ingress-issuer |
Platform API endpoint server certificate. The certificate that is presented to callers of the platform REST API, and to the toolkit CLI. |
consumer-endpoint or mgmt-consumer-api |
ingress-issuer |
Consumer API endpoint server certificate. The certificate presented that is presented to callers of the consumer REST API, and to the toolkit CLI. |
apim-endpoint or mgmt-api-manager |
ingress-issuer |
API Manager UI server certificate. |
cm-endpoint or mgmt-admin |
ingress-issuer |
Cloud Manager UI server certificate. |
hub-endpoint |
ingress-issuer |
Used by the Automated API behavior testing
application. User-facing server certificate for the hub-endpoint. If there is a
problem with this certificate, then the user's browser shows a warning or error message. |
management-s3proxy-all |
ingress-issuer |
Inter-subsystem certificate for communication between management subsystem and s3proxy pods. Used for management database local and SFTP backups. |
analytics-ai-endpoint or a7s-ai-endpoint |
ingress-issuer |
Server certificate used on the analytics ingestion endpoint in the If this certificate is updated, restart the |
portal-admin or ptl-director or portal-director |
ingress-issuer |
Server certificate used on the This certificate must have the same CA as the This certificate is used by the |
portal-web |
ingress-issuer |
The server certificate used on the The default This certificate is used by the |
gateway-peering or gw-peer |
ingress-issuer |
This certificate secures the communication between gateways in your gateway cluster. If you update this certificate, then restart your gateway pods. See Changing the secret for gateway peering. |
gwv6-endpoint or gw-gateway |
ingress-issuer |
Legacy certificate that is not used. |
gateway-service or gw-svc |
ingress-issuer |
Legacy certificate that is not used. |
gwv6-manager-endpoint or gw-gateway-manager |
ingress-issuer |
The This certificate must be signed by the same CA as the If you update this certificate, then all gateway pods are restarted automatically. |
event-gateway-management-client |
ingress-issuer |
The event-gateway-management-client certificate exists only on Cloud Pak for Integration deployments. |
federatedapimanagement-admin-client |
ingress-issuer |
The client certificate is used for communication with the Federated API Management subsystem through
the admin endpoint. After you update the certificate, restart the The management subsystem loads this certificate into the Federated API Management Admin TLS client profile, which you can view in the Cloud Manager user interface. For more information, see TLS profiles overview. |
devportal-admin-client |
ingress-issuer |
Client certificate used for communication with the Developer Portal subsystem
on the
devportalAdminEndpoint. This certificate must have:
For a two data center disaster recovery deployment,
both data centers must have an identical subject name. For example, both data centers subject name
could be This certificate is loaded by the management subsystem into the |
devportal-wmapigateway-client |
ingress-issuer |
Client certificate used Developer Portal subsystem to communicate with WM API Gateway subsystem |
wmapigateway-devportal-client |
ingress-issuer |
Client certificate used WM API Gateway subsystem to communicate with Developer Portal subsystem |
| Certificate name | Issuer | Description |
|---|---|---|
management-ca or mgmt-ca |
selfsigning-issuer |
The issuer for the management subsystems intra-subsystem certificates:
management-client, management-server, postgres, and nats certificates. Communication between
management subsystem pods fails if there is a problem with this certificate. This certificate is
also used as the CA for REST API calls to the management subsystem from the other subsystems, when
using |
management-client or mgmt-client |
management-ca |
Client certificate used in communication between management subsystem pods. Communication between management subsystem pods fails if there is a problem with this certificate. |
management-server or mgmt-server |
management-ca |
Server certificate used in communication between management subsystem
pods. Communication between management subsystem pods fails if there is a problem with this
certificate. Required DNS names within the SAN section are:
|
db-client-apicuser |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
db-client-postgres |
management-ca |
Intra-subsystem certificate for the management database subsystem. |
natscluster-mgmt |
management-ca |
Intra-subsystem certificate for the nats
pods. |
analytics-ca or a7s-ca |
selfsigning-issuer |
The issuer for the analytics-client and
analytics-server certificates. Communication between analytics subsystem pods fails
if there is a problem with this certificate.If you update this certificate, you must then update
the
analytics-client and analytics-server server certificates, and
then ensure that the following pods are restarted:
|
analytics-client or a7s-client |
analytics-ca |
Client certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. If this certificate is updated, then the |
analytics-server or a7s-server |
analytics-ca |
Server certificate used in communication between analytics subsystem
pods. Communication between analytics subsystem pods fails if there is a problem with this
certificate. Required DNS names within the SAN section are:
If this certificate is updated, then the
|
portal-ca or ptl-ca |
selfsigning-issuer |
The issuer for the portal-client and portal-server certificates. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
portal-client or ptl-client |
portal-ca |
Client certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. This certificate is used by all portal pods. |
portal-server or ptl-server |
portal-ca |
Server certificate used in communication between portal subsystem pods. Communication between portal subsystem pods fails if there is a problem with this certificate. Required DNS names within the SAN section are:
<instance name>is truncated if more
than 15 characters.This certificate is used by all portal pods. |
devportal-ai-endpoint |
ingress-issuer |
Server certificate used on the Developer Portal ingestion
endpoint in the If this certificate is updated, restart the |
devportal-ca |
selfsigning-issuer |
The issuer for the devportal-client and devportal-server
certificates. Communication between the Developer Portal subsystem
pods fails if there is a problem with this certificate.If you update this certificate, you must
then update the
devportal-client and devportal-server server
certificates, and then ensure that the following pods are restarted:
|
devportal-client |
devportal-ca |
Client certificate used in communication between the Developer Portal subsystem
pods. Communication between the Developer Portal subsystem
pods fails if there is a problem with this certificate. If this certificate is updated, then the
|
devportal-server |
devportal-ca |
Server certificate used in communication between the Developer Portal subsystem
pods. Communication between the Developer Portal subsystem
pods fails if there is a problem with this certificate. Required DNS names within the SAN section
are:
If this certificate is updated, then the
|
fam-server |
fam-ca |
Server certificate used in communication between Federated API Management subsystem pods.
Communication between Federated API Management subsystem pods fails
if there is a problem with this certificate. Required DNS names within the SAN section
are:
If this certificate is updated, then the
|
wmapigateway-ca |
selfsigning-issuer |
he issuer for the WM API Gateway subsystems intra-subsystem certificates |
wmapigateway-client |
wmapigateway-ca |
Client certificate used in communication between WM API Gateway subsytem pods |
wmapigateway-server |
wmapigateway-ca |
Server certificate used in communication between WM API Gateway subsytem pods |
wmapigateway-mgmt-tls-secret |
ingress-issuer |
TLS certificate for the WM API Gateway proxy endpoint |
ngw-ca |
selfsigning-issuer |
The issuer for the nano gateway subsystems intra-subsystem certificates |
ngw-client |
ngw-ca |
Client certificate used in communication between nano gateway subsystem pods |
ngw-server |
ngw-ca |
Server certificate used in communication between nano gateway subsystem pods |
ngw-nanogw-analytics-collector-client |
ngw-ca |
Client certificate that is used by nano gateway to talk to the analytics collector service |
ngw-nanogw-analytics-collector-server |
ngw-ca |
Server certificate used by analytics collector service to startup |