This topic explains how to create self-signed TLS certificates for use in an
environment configuration. This information is intended for trial or testing
purposes only.
The runtime ingress gateway (the gateway that handles API proxy traffic) requires
a TLS certificate/key pair. For this quickstart installation, you can use self-signed
credentials. In the following steps, openssl is used
to generate the credentials.
Navigate to your HELM_CHARTS_HOME/apigee-virtualhost/ chart directory
and execute the following command to create the certificate and key files. The certificate files
will most likely have .crt or .pem extensions and the key file will most likely
have .key.
This command creates a self-signed certificate/key pair that you can use for the
quickstart installation. The CN mydomain.net can be any value you wish for
the self-signed credentials.
Check to make sure the files are in the ./certs directory:
ls ./certs
keystore.pem
keystore.key
Where keystore.pem is the self-signed TLS certificate file and keystore.key
is the key file.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide details the creation of self-signed TLS certificates for trial or testing environments.\u003c/p\u003e\n"],["\u003cp\u003eSelf-signed certificates are not recommended for production and should be used only for development, trials, or testing.\u003c/p\u003e\n"],["\u003cp\u003eThe runtime ingress gateway requires a TLS certificate/key pair, which can be self-signed for quickstart installations.\u003c/p\u003e\n"],["\u003cp\u003eOpenSSL is used to generate the certificate and key files, with the provided command creating a pair that can be used immediately.\u003c/p\u003e\n"],["\u003cp\u003eThe generated certificate and key files, typically with \u003ccode\u003e.crt\u003c/code\u003e or \u003ccode\u003e.pem\u003c/code\u003e and \u003ccode\u003e.key\u003c/code\u003e extensions respectively, should be stored in the \u003ccode\u003eHELM_CHARTS_HOME/apigee-virtualhost/\u003c/code\u003e directory.\u003c/p\u003e\n"]]],[],null,["# Generate self-signed TLS credentials\n\n| You are currently viewing version 1.12 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to create self-signed TLS certificates for use in an\nenvironment configuration. This information is intended for trial or testing\npurposes only.\n| **Warning:** Self-signed certificates are not recommended for production. Only consider using them for development, trial, or testing purposes.\n\n\nThe runtime ingress gateway (the gateway that handles API proxy traffic) requires\na TLS certificate/key pair. For this quickstart installation, you can use self-signed\ncredentials. In the following steps, [openssl](https://www.openssl.org/) is used\nto generate the credentials.\n\n 1. Navigate to your \u003cvar translate=\"no\"\u003eHELM_CHARTS_HOME\u003c/var\u003e`/apigee-virtualhost/` chart directory and execute the following command to create the certificate and key files. The certificate files will most likely have `.crt` or `.pem` extensions and the key file will most likely have `.key`. **Note:** We recommend storing the certificate and key files in your \u003cvar translate=\"no\"\u003eHELM_CHARTS_HOME\u003c/var\u003e`/apigee-virtualhost/` chart directory. \n\n ```\n openssl req -nodes -new -x509 -keyout ./certs/keystore.key -out \\\n ./certs/keystore.pem -subj '/CN=mydomain.net' -days 3650\n ```\n\n\n This command creates a self-signed certificate/key pair that you can use for the\n quickstart installation. The CN `mydomain.net` can be any value you wish for\n the self-signed credentials.\n2. Check to make sure the files are in the `./certs` directory: \n\n ls ./certs\n keystore.pem\n keystore.key\n\n\n Where `keystore.pem` is the self-signed TLS certificate file and `keystore.key`\n is the key file."]]
