This topic explains how to create self-signed TLS certificates for use in an
environment configuration. This information is intended for trial or testing
purposes only.
The runtime ingress gateway (the gateway that handles API proxy traffic) requires
a TLS certificate/key pair. For this quickstart installation, you can use self-signed
credentials. In the following steps, openssl is used
to generate the credentials.
Execute the following command to create the certificate and key files. The certificate files
will most likely have .crt or .pem extensions and the key file will most likely
have .key.
This command creates a self-signed certificate/key pair that you can use for the
quickstart installation. The CN mydomain.net can be any value you wish for
the self-signed credentials.
Check to make sure the files are in the ./certs directory:
ls ./certs
keystore.pem
keystore.key
Where keystore.pem is the self-signed TLS certificate file and keystore.key
is the key file.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document explains how to create self-signed TLS certificates for trial or testing environments, which are not recommended for production use.\u003c/p\u003e\n"],["\u003cp\u003eThe runtime ingress gateway requires a TLS certificate/key pair, and self-signed credentials can be used for quickstart installations.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eopenssl\u003c/code\u003e command is used to generate self-signed certificate and key files, which should preferably be stored in the \u003ccode\u003ehybrid-files/certs\u003c/code\u003e directory if using \u003ccode\u003eapigeectl\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eA sample \u003ccode\u003eopenssl\u003c/code\u003e command is provided to generate the certificate/key pair, with the ability to customize the Common Name (CN) value, and it will create two files, \u003ccode\u003ekeystore.pem\u003c/code\u003e (certificate) and \u003ccode\u003ekeystore.key\u003c/code\u003e (key).\u003c/p\u003e\n"]]],[],null,["# Generate self-signed TLS credentials\n\n| You are currently viewing version 1.11 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to create self-signed TLS certificates for use in an\nenvironment configuration. This information is intended for trial or testing\npurposes only.\n| **Warning:** Self-signed certificates are not recommended for production. Only consider using them for development, trial, or testing purposes.\n\n\nThe runtime ingress gateway (the gateway that handles API proxy traffic) requires\na TLS certificate/key pair. For this quickstart installation, you can use self-signed\ncredentials. In the following steps, [openssl](https://www.openssl.org/) is used\nto generate the credentials.\n\n 1. Execute the following command to create the certificate and key files. The certificate files will most likely have `.crt` or `.pem` extensions and the key file will most likely have `.key`. **Note:** If you are using `apigeectl` to install and manage Apigee hybrid, we recommend storing the certificate and key files in your \u003cvar translate=\"no\"\u003ehybrid-files\u003c/var\u003e`/certs` directory. \n\n ```\n openssl req -nodes -new -x509 -keyout ./certs/keystore.key -out \\\n ./certs/keystore.pem -subj '/CN=mydomain.net' -days 3650\n ```\n\n\n This command creates a self-signed certificate/key pair that you can use for the\n quickstart installation. The CN `mydomain.net` can be any value you wish for\n the self-signed credentials.\n2. Check to make sure the files are in the `./certs` directory: \n\n ls ./certs\n keystore.pem\n keystore.key\n\n\n Where `keystore.pem` is the self-signed TLS certificate file and `keystore.key`\n is the key file."]]
