Skip to main content

Version: 3.2.3.x

SSL Certificates

In this document, you will learn the basic concept of SSL certificate objects in API7 Enterprise Edition and scenarios where you may need them, including configuring TLS or mTLS between client applications, API7 Enterprise Edition, and upstream servers. You will go over the basics of SSL/TLS at the beginning to help further understanding when to use SSL certificate objects in API7 Enterprise Edition.


TLS (Transport Layer Security), being the successor to SSL (Secure Sockets Layer) protocol, is a cryptographic protocol designed to secure communication between two parties, such as a web browser and a web server. It is implemented on top of an existing protocol, such as HTTP or TCP, to provide an additional layer of security by establishing a connection through a TLS handshake and encrypting data transmission.

The following is a high-level overview of the one-way TLS handshake in TLS v1.2 and TLS v1.3—the two most commonly used TLS versions:

TLS Handshake for TLS v1.2 and TLS v1.3

During this process, the server authenticates itself to the client by presenting its certificate. The client verifies the certificate to ensure that it is valid and issued by a trusted authority. Once the certificate has been verified, the client and server agree on a shared secret, which is used to encrypt and decrypt the application data.

API7 Enterprise Edition also supports mutual TLS, or mTLS, where client also authenticates itself to the server by presenting its certificate, effectively creating a two-way TLS connection. This ensures that both parties are authenticated and helps prevent network attacks like man-in-the-middle.

To enable TLS or mTLS in your system with API7 Enterprise Edition, you should generate and configure certificates in the appropriate places, such as on client applications, API7 Enterprise Edition, and/or upstream servers. For configuration on the API7 Enterprise Edition side, an SSL certificate object may be required, depending on the segment of communication you want to secure:

Client Application -- API7 EERequiredRequired
API7 EE -- Service UpstreamNot RequiredOptional Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.


API7 Cloud

SOC2 Type IRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation