This topic explains how to create self-signed TLS certificates for use in an
environment configuration. This information is intended for trial or testing
purposes only.
The runtime ingress gateway (the gateway that handles API proxy traffic) requires
a TLS certificate/key pair. For this quickstart installation, you can use self-signed
credentials. In the following steps, openssl is used
to generate the credentials.
Be sure that you are in the BASE_DIRECTORY/hybrid-files directory.
It was suggested in the installation quickstart that you create a hybrid-files
directory to contain files that you create. Your file structure may differ from the suggested
structure.
Execute the following command from inside hybrid-files directory, where
./certs is the directory containing your certificates.
This command creates a self-signed certificate/key pair that you can use for the
quickstart installation. The CN mydomain.net can be any value you wish for
the self-signed credentials.
Check to make sure the files are in the ./certs directory:
ls ./certs
keystore.pem
keystore.key
Where keystore.pem is the self-signed TLS certificate file and keystore.key
is the key file.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document guides you through creating self-signed TLS certificates for trial or testing environments using OpenSSL.\u003c/p\u003e\n"],["\u003cp\u003eSelf-signed certificates generated with these instructions should not be used in production, only for development, trial, or testing purposes.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves running an OpenSSL command to generate a certificate/key pair within the designated \u003ccode\u003ehybrid-files\u003c/code\u003e directory, typically named \u003ccode\u003ekeystore.pem\u003c/code\u003e and \u003ccode\u003ekeystore.key\u003c/code\u003e which is placed into a certs folder.\u003c/p\u003e\n"],["\u003cp\u003eVersion 1.2 of the Apigee hybrid documentation, which you are currently viewing, is end-of-life, and it is recommended to upgrade to a newer version.\u003c/p\u003e\n"]]],[],null,["# Generate self-signed TLS credentials\n\n| You are currently viewing version 1.2 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n| **More Information** \n|\n| For more information, see:\n|\n| - [About environments and environment groups](/apigee/docs/api-platform/fundamentals/environments-overview)\n\n\nThis topic explains how to create self-signed TLS certificates for use in an\nenvironment configuration. This information is intended for trial or testing\npurposes only.\n| **Warning:** Self-signed certificates are not recommended for production. Only consider using them for development, trial, or testing purposes.\n\n\nThe runtime ingress gateway (the gateway that handles API proxy traffic) requires\na TLS certificate/key pair. For this quickstart installation, you can use self-signed\ncredentials. In the following steps, [openssl](https://www.openssl.org/) is used\nto generate the credentials.\n\n1. Be sure that you are in the \u003cvar translate=\"no\"\u003eBASE_DIRECTORY\u003c/var\u003e`/hybrid-files` directory. It was suggested in the installation quickstart that you create a `hybrid-files` directory to contain files that you create. Your file structure may differ from the suggested structure.\n2. Execute the following command from inside `hybrid-files` directory, where `./certs` is the directory containing your certificates. \n\n ```\n openssl req -nodes -new -x509 -keyout ./certs/keystore.key -out \\\n ./certs/keystore.pem -subj '/CN=mydomain.net' -days 3650\n ```\n\n\n This command creates a self-signed certificate/key pair that you can use for the\n quickstart installation. The CN `mydomain.net` can be any value you wish for\n the self-signed credentials.\n3. Check to make sure the files are in the `./certs` directory: \n\n ls ./certs\n keystore.pem\n keystore.key\n\n\n Where `keystore.pem` is the self-signed TLS certificate file and `keystore.key`\n is the key file."]]
