How to change OCI API Gateway Hostname and attach custom SSL certificate

This article aims to create a custom hostname for the API Gateway and its deployments. The first step is to create a custom DNS zone and record pointing to the API Gateway. Secondly, we must issue a certificate (e.g., ZeroSSL) and import it into the OCI Certificate service. Once the certificate is ready, we must modify API Gateway and associate the correct certificate.

Demo architecture is reused from How to Serve Website Static Files from the OCI Object Storage, which serves as a prerequisite for this article.

API Gateway needs to be created in a public subnet, and appropriate ports must be opened in the related Ingress Security List. If you plan to use HTTPS, port 443 needs to be opened in the appropriate Security List.

Let’s create a public DNS zone. Ensure you have configured your domain in the domain registry (e.g., GoDaddy, Namecheap, etc.) to point on OCI nameservers. In my example, I’ve configured ivandelic.com to point to OCI nameservers. Now create a public zone on OCI.

Add A record containing the IP address of the API Gateway to the freshly created zone. I’ve added A record with name www. The record points to the IP address within the RDATA field.

Once you have configured a custom hostname for the API gateway through a new DNS zone record, you must issue an appropriate SSL certificate with a custom DNS record. You can use a wide range of SSL providers to get the certificate. I used ZeroSSL with free 90-day validity. I stored two DNS records in the certificate (www.ivandelic.com and ivandelic.com).

You need to prove that you are the owner of the DNS zone. You can do it by validating the DNS record or any alternative way. Follow the challenge provided by ZeroSSL and create a custom CNAME record in your DNS zone. ZeroSSL will verify the existence of the record in the DNS, and if successful, you will get a certificate bundle.

Once you return to the OCI console, select the custom DNS zone you have created in the previous chapter. Add a CNAME record with a specific RDATA target provided as a challenge in the ZeroSSL console. Save the zone and publish the changes.

Once your zone is published and updated, you can verify the domain in the ZeroSSL console. It will take up to a few minutes to successfully validate the domain.

Once you have generated your SSL certificate, you must bring it to the OCI Certificate service. The service will store the certificate securely, making it available for the other services. In our example, API Gateway will leverage imported certificates to protect custom hostnames with SSL.

Once the SSL certificate is uploaded, you will see a confirmation page with one version installed.

Now it’s time to configure the API Gateway certificate by editing API Gateway. Select the freshly imported certificate and save the changes.

You are ready to these the new hostname with the appropriate SSL certificate.

Open the custom hostname in the browser. You will get the response from the API gateway. In my example, I used index.hml suffix to get the web page served from the Object Storage explained in the referenced article.

Congratulations, you implemented a custom hostname for the API Gateway and protected it with a custom SSL certificate. You could use different DNS and SSL providers and similarly configure them.

Related posts:

Ronald connected with Lily on a dating app. He had been immediately attracted to her when he came across her profile. She put a lot of geeky jokes in her profile that he instantly understood and…