Configuring certificates for external HTTPS

[jeremy303]

I would appreciate guidance on proper configuration to support installation of a CA-signed certificate for external HTTPS connections. I am restricted to generating CA-signed certificates for a given subdomain, say *.someorganization.org. So this certificate isn't valid for the *.wso2.svc hostnames that are used for internal connections between the Kubernetes pods. So it seems that I should use my CA-signed certificate for the external facing HTTPS connections (e.g. the API gateway, store, publisher, Carbon admin) and use the *.wso2.svc certificate for connections internal to the OpenShift / Kubernetes network.

Is this possible?

By the way, previously I had been using re-encrypted route to provide by external HTTPS certificates rather than passthrough SSL, however this seems to have broken with the latest wso2carbon.jks keystore. (Even when I provide the new wso2carbon certificate as the destination CA certificate).

[jeremy303]

I ended up punting on configuring APIM to use my SSL cert, instead replacing the passthrough SSL termination with re-encrypt termination and so that APIM could use a self-signed certificate. All in all, this seems easier than changing the APIM configuration.

I should add that the recently updated wso2carbon.jks keystore (9e82bf8da751d920ac5494e327d02ebaf49e1785) doesn't seem to work with re-encrypt termination (the previous wso2carbon.jks does). The new certificate is missing an Issuer field.

[fsbano]

@HolySamosa ,

Are you using OpenShift?

Regards, Fábio Sbano