This topic explains how to create self-signed TLS certificates for use in an
environment configuration. This information is intended for trial or testing
purposes only.
The runtime ingress gateway (the gateway that handles API proxy traffic) requires
a TLS certificate/key pair. For this quickstart installation, you can use self-signed
credentials. In the following steps, openssl is used
to generate the credentials.
Be sure that you are in the base_directory/hybrid-files directory.
It was suggested in the installation quickstart that you create a hybrid-files
directory to contain files that you create. Your file structure may differ from the suggested
structure.
Execute the following command from inside hybrid-files directory, where
./certs is the directory containing your certificates.
This command creates a self-signed certificate/key pair that you can use for the
quickstart installation. The CN mydomain.net can be any value you wish for
the self-signed credentials.
Check to make sure the files are in the ./certs directory:
ls ./certs
keystore.pem
keystore.key
Where keystore.pem is the self-signed TLS certificate file and keystore.key
is the key file.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe provided content is for creating self-signed TLS certificates, strictly for trial or testing, and strongly not for production environments.\u003c/p\u003e\n"],["\u003cp\u003eA TLS certificate/key pair is required for the runtime ingress gateway, and for the purposes of a quickstart installation, self-signed credentials are used.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eopenssl\u003c/code\u003e tool is used to generate the self-signed certificate/key pair within the \u003ccode\u003ehybrid-files\u003c/code\u003e directory, as demonstrated by the provided \u003ccode\u003eopenssl\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eThe generated certificate is named \u003ccode\u003ekeystore.pem\u003c/code\u003e, while the key file is named \u003ccode\u003ekeystore.key\u003c/code\u003e, and both should be found in the \u003ccode\u003e./certs\u003c/code\u003e directory after running the command.\u003c/p\u003e\n"],["\u003cp\u003eThe version 1.6 of the Apigee hybrid documentation that you are reading is at the end of its life cycle, and you should upgrade to a newer version.\u003c/p\u003e\n"]]],[],null,["# Generate self-signed TLS credentials\n\n| You are currently viewing version 1.6 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to create self-signed TLS certificates for use in an\nenvironment configuration. This information is intended for trial or testing\npurposes only.\n| **Warning:** Self-signed certificates are not recommended for production. Only consider using them for development, trial, or testing purposes.\n\n\nThe runtime ingress gateway (the gateway that handles API proxy traffic) requires\na TLS certificate/key pair. For this quickstart installation, you can use self-signed\ncredentials. In the following steps, [openssl](https://www.openssl.org/) is used\nto generate the credentials.\n\n1. Be sure that you are in the \u003cvar translate=\"no\"\u003ebase_directory\u003c/var\u003e`/hybrid-files` directory. It was suggested in the installation quickstart that you create a `hybrid-files` directory to contain files that you create. Your file structure may differ from the suggested structure.\n2. Execute the following command from inside `hybrid-files` directory, where `./certs` is the directory containing your certificates. \n\n ```\n openssl req -nodes -new -x509 -keyout ./certs/keystore.key -out \\\n ./certs/keystore.pem -subj '/CN=mydomain.net' -days 3650\n ```\n\n\n This command creates a self-signed certificate/key pair that you can use for the\n quickstart installation. The CN `mydomain.net` can be any value you wish for\n the self-signed credentials.\n3. Check to make sure the files are in the `./certs` directory: \n\n ls ./certs\n keystore.pem\n keystore.key\n\n\n Where `keystore.pem` is the self-signed TLS certificate file and `keystore.key`\n is the key file."]]
