Managing Endpoint Certificates¶
If your API backend is secured with a self-signed certificate (or a certificate which is not signed by a CA) you need to import the backend certificate to the API manager (Gateway) client-truststore and restart the server. This feature enables you to upload the backend certificate through API Publisher while creating or editing your API without restarting the server.
Follow the steps below to add a certificate to an endpoint:
Note that this feature supports only HTTP/REST and HTTP/SOAP endpoints.
Modify the configurations for the Endpoint Certificates by modifying the
<API-M_HOME>/repository/conf/deployment.tomlfile by adding the following config section as shown below.
[transport.passthru_https.sender.ssl_profile] interval = 600000
Configuration Parameter Description interval The time taken to load the newly added certificate in milliseconds. Default 10 mins. (600000ms) Minimum interval : 60000ms (1 min)
If you use a different Trust Store/Keystore configuration and define it in the
[transport.passthru_https.sender]section within the
deployment.tomlfile, make sure to modify the KeyStore and TrustStore location in the
<API-M_HOME>/repository/resources/security/sslprofiles.xmlfile as well accordingly. The
sslprofiles.xmlfile is configured with the default
This feature currently supports only the following keystore and certificate types.
- Keystore :
- Certificate :
If you need to use a certificate in any other format, you can convert it to
.crt/ .certusing a standard tool before uploading.
The certificate will be added to the Gateway nodes which are defined under the
[[apim.gateway.environment]]section in the
In a clustered setup, as the Gateway configurations are identical, sync the
<API-M_HOME>/repository/resources/security/sslprofiles.xmlfile and the
<API-M_HOME>/repository/resources/security/client-truststore.jksfile among the Gateway nodes in the cluster. After the configured interval, the Synapse transport will be reloaded in all the Gateway nodes.
- Keystore :
Adding a Certificate for an Endpoint¶
Sign in to the API Publisher.
Create a new API or click on an existing API.
Enter the following information and click Save.
Name Description Alias Enter a name for your certificate. Endpoint Select an endpoint from the dropdown list. Certificate Drag and drop the certificate file or click on the drop zone to select the certificate via the UI
The uploaded certificate will be displayed.
If required, repeat step 3 onwards to add certificates to the other endpoints.
Check Certificate Information¶
You can check the information of the certificate, (i.e., Status and subject DN).
Click on the info icon that corresponds to the respective certificate to view the certificate information.
The selected certificate details appear.
Deleting a certificate¶
Click on the delete icon that corresponds to the respective certificate to delete a certificate.Top