Importing Certificates to the API Choreo Connect Truststore¶
For signature validation of JWTs and to connect to external key manager endpoints, the public certificate of the external key manager should be added to the Choreo Connect Enforcer.
Follow the steps below to add a new certificate to the enforcer trusted certs.
Convert the public certificate to a PEM format. For example,
openssl x509 -inform der -in public_certificate.cert -out certificate.pem
Add the certificate to the relevant components resource folder
For signature validation of JWTs, you need to add the public certificate of the Identity Provider to the truststore of the API Choreo Connect. Therefore add public certificate of identity provider in PEM format to
Restart the component.
docker restart choreo-connect_enforcer_1
Adding a Certificate to Adapter Truststore¶
The trusted certificate location is configured as a volume mount for Adapter in the docker-compose.yaml file as below.
volumes: - ../resources/adapter/security:/home/wso2/security
This mounts both the key store and truststore locations to the container.
To add a new certificate Choreo Connect component, it should be done by adding the pem formatted certificate to the truststore location of that particular component.
For an example, if a new certificate (router/enforcer or control plane) needs to be added to the adapter component,
- The certificate should be converted to PEM formate if it is not.
- Copy the PEM certificate into
- Restart the adapter container.
Changing the Private Certificate of a Component¶
If it is required to change the private certificate of a component, follow the steps below.
Generate a new key pair for the component.
Copy the private key and certificate (in PEM format) into
Ex: To change the certificate of Adapter component, copy the new certificate to
If the certificate/ key name is changed, edit the corresponding configuration in
<CHOREO-CONNECT_HOME>/docker-compose/choreo-connect or choreo-connect-with-apim/conf/config.tomlfile. Otherwise, use the same name as
mg.keyfor the new certificate and key.
Copy the public certificate (in PEM format) into the other two components.
Ex: Copy the certificate to
Restart the components.