Just like when it comes to making API
requests
and working with
responses
, Postman aims to give you greater control when it comes to configuring
API encryption
—which is now a standard part of API operations in 2020. Encryption is pushing API providers to leverage Transport Layer Security (TLS) to secure the data, content, and other resources that are being passed back and forth during each API request and response. And since TLS is dependent on
Secure Sockets Layer (SSL) certificates
to encrypt traffic, developers need solutions for yet another layer of potential friction.
In order to help with this, Postman provides visibility and control over TLS and the certificates that enable it: You can add, edit, and remove certificates, and troubleshoot some of the most common SSL problems encountered when putting APIs to work.
Managing certificates in Postman
Certificates are issued per domain, and you will need to have one of the following:
CA Certificate
: A certificate issued by a trusted certificate authority
Self-Signed Certificate:
A certificate not signed by a certificate authority
As the name suggests, CA certificates enable encryption with more security properties than self-signed certificates. You can manage CA certificates in Postman by simply going to the master
Settings
pane in the desktop or web version of the platform and clicking on the
Certificates
tab. If you have access to the CA certificate for a domain, you can upload the .pem file into Postman, allowing you to have more control over the encryption chain for the API calls you are making within each domain.
Adding a CA certificate .pem file in Postman
In addition to CA certificates, Postman lets you define and upload self-signed client certificates using the same
Certificate
tab used for CA certificates. You can configure the domain, certificate files, and passphrase so that you have full control over SSL/TLS
security of the APIs
you are using.
Adding a self-signed client certificate in Postman
Note: You can’t edit a certificate after it’s been added. In order to renew or change a certificate, you’ll need to remove and re-add the certificate. Once you have your certificate installed, you can begin making encrypted calls to an API within that domain.
For further visibility, Postman’s
Network
information icon
provides helpful details about what is working or not working when it comes to the TLS dimension of making API calls:
Postman’s Network information icon gives greater visibility
Postman Chief Evangelist Kin Lane helps our community see the larger API landscape and better understand how Postman supports developers to be more successful across the modern API lifecycle.
