Dynamic SSL Certificate Installation
If you have a backend with a self-signed certificate or a certificate which is not signed by a Certification Authority (CA), you generally would need to import the certificate to the client-truststore and restart the server, which is cumbersome. However, if you enable dynamic SSL certificate installation on WSO2 API Manager, you can simply upload the backend certificate via the API Publisher while creating or editing your API without having to manually upload the certificate for the endpoint. Follow the steps below to add a new certificate to any endpoint. Note that this feature only supports HTTP/REST and HTTP/SOAP endpoints.
Prerequisites
- If you are an existing user, follow the instructions given below.Â
Run the scripts inside the
<API-M_HOME>/dbscripts/apimgt
directory, according to your preferred database. For instructions on configuring databases, see Set up the database. Verify that the tableAM_CERTIFICATE_METADATA
has been created in your database.The configurations for theÂ
PassThroughHTTPSSLSender
 parameter is available by default in theÂ<API-M_HOME>/repository/conf/axis2/axis2.xml
file as shown below.<transportSender name="https" class="org.apache.synapse.transport.passthru.PassThroughHttpSSLSender"> ... <!-- ============================================== --> <!-- Configuration for Dynamic SSL Profile loading. --> <!-- Configured for 10 mins. --> <!-- ============================================== --> <parameter name="dynamicSSLProfilesConfig"> <filePath>repository/resources/security/sslprofiles.xml</filePath> <fileReadInterval>600000</fileReadInterval> </parameter> </transportSender>
The default time to apply the certificate is 10 minutes. You can configure this by changing the
<fileReadInterval>
parameter. Note that the time is given in milliseconds.If you use a different Trust Store/ Keystore configuration in the
axis2.xml
orcarbon.xml
files ,modify the KeyStore and TrustStore location in<API-M_HOME>/repository/resources/security/sslprofiles.xml
file accordingly. Thesslprofiles.xml
file is configured with the existing client-truststore.jks
This feature currently supports only the following formats for keystores and certificates.
- Keystore :
.jks
- Certificate :
.crt
If you need to use a certificate in any other format, you can convert it using a standard tool before uploading.
After configuring, the certificate will be added to the Gateway nodes which are defined under the Environments in api-manager.xml
. In a clustering setup, as gateway configurations are identical, sync the <API-M_HOME>/repository/resources/security/sslprofiles.xml
and <API-M_HOME>/repository/resources/security/client-truststore.jks
among the gateway nodes. After the configured interval, the synapse transport will be reloaded in all the gateway nodes.
Adding a certificate
- Log in to the API Publisher. Create a new API or edit an existing API.
- Go to the Implement tab. Click Manage Certificates and click Add New Certificate
Enter the following information and click Upload.
Name Description Alias Enter a name for your certificate. Endpoint Select an endpoint from the dropdown list Certificate Enter the location of your certificate file or click Browse to select through the UI - The uploaded certificate aliases will be displayed.
- You can repeat from step 2 to add a certificate to the sandbox endpoint.
You add only one certificate per endpoint. Make sure that your certificates have not expired.
Deleting a certificate
To delete a certificate, click the icon adjacent to the certificate, as shown below.