This step explains how to create the TLS credentials
that are required for Apigee hybrid to operate.
Create TLS certificates
You are required to provide TLS certificates for the runtime ingress gateway in your
Apigee hybrid configuration. For the purpose of this quickstart (a non-production trial installation),
the runtime gateway can accept self-signed credentials. In the following steps,
openssl is used to generate the self-signed credentials.
In this step, you will create the TLS credential files and add them to
the $HYBRID_FILES/certs directory.
In
Step 6: Configure the cluster, you will add the file paths to the cluster
configuration file.
Execute the following command to create the credential files and store them in your
$HYBRID_FILES/certs directory:
DOMAIN is the domain you provided as the hostname for the environment
group you created in Create an environment group.
ENV_GROUP is the name of the environment group where the domain is specified
as a hostname. It's a good practice to include the environment group name in the key and keystore
name to avoid accidentally reusing the same domain value if you create keys for multiple environment groups.
This command creates a self-signed certificate/key pair that you can use for the quickstart
installation.
If you have additional environment groups with unique domain names, repeat this step
for each environment group. You will reference these groups and certificates in the cluster
configuration step.
Check to make sure the files are in the $HYBRID_FILES/certs directory using the following command:
ls $HYBRID_FILES/certs
keystore_ENV_GROUP.key
keystore_ENV_GROUP.pem
Where keystore_ENV_GROUP.pem is the self-signed TLS certificate file and keystore_ENV_GROUP.key
is the key file.
You now have the credentials needed to manage Apigee hybrid
in your Kubernetes cluster. Next, you will create a file that is used by Kubernetes
to deploy the hybrid runtime components to the cluster.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis documentation outlines the process of creating TLS credentials necessary for the Apigee hybrid runtime ingress gateway, emphasizing that self-signed credentials are sufficient for non-production trial installations.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eopenssl\u003c/code\u003e tool is used to generate the self-signed TLS certificate and key pair, which are stored in the \u003ccode\u003e$HYBRID_FILES/certs\u003c/code\u003e directory.\u003c/p\u003e\n"],["\u003cp\u003eThe created TLS certificate files are named \u003ccode\u003ekeystore_ENV_GROUP.pem\u003c/code\u003e and \u003ccode\u003ekeystore_ENV_GROUP.key\u003c/code\u003e, where \u003ccode\u003eENV_GROUP\u003c/code\u003e represents the environment group, and the \u003ccode\u003eDOMAIN\u003c/code\u003e parameter is the hostname for the environment group.\u003c/p\u003e\n"],["\u003cp\u003eFor production environments, signed certificates are required, and the documentation references an example using the Lets Encrypt certificate authority.\u003c/p\u003e\n"],["\u003cp\u003eIf there are multiple environments with different domains, this process needs to be repeated for each environment group.\u003c/p\u003e\n"]]],[],null,["# Step 5: Create TLS certificates\n\n| You are currently viewing version 1.11 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis step explains how to create the TLS credentials\nthat are required for Apigee hybrid to operate.\n\nCreate TLS certificates\n-----------------------\n\n\nYou are required to provide TLS certificates for the runtime ingress gateway in your\nApigee hybrid configuration. For the purpose of this quickstart (a non-production trial installation),\nthe runtime gateway can accept self-signed credentials. In the following steps,\n[openssl](https://www.openssl.org/) is used to generate the self-signed credentials.\n| **Note:** In a production environment, you will need to use signed certificates. You can use either a certificate and key pair or a Kubernetes secret. For an example on how to obtain a TLS certificate from the *Lets Encrypt* certificate authority (CA), see [Obtain TLS credentials: An example](/apigee/docs/hybrid/v1.11/lets-encrypt).\n\n\nIn this step, you will create the TLS credential files and add them to\nthe `$HYBRID_FILES/certs` directory.\nIn [Step 6: Configure the cluster](/apigee/docs/hybrid/v1.11/install-configure-cluster), you will add the file paths to the cluster\nconfiguration file.\n\n1. Execute the following command to create the credential files and store them in your `$HYBRID_FILES/certs` directory: \n\n ```\n openssl req -nodes -new -x509 -keyout $HYBRID_FILES/certs/keystore_$ENV_GROUP.key -out \\\n $HYBRID_FILES/certs/keystore_$ENV_GROUP.pem -subj '/CN='\u003cvar translate=\"no\"\u003e$DOMAIN\u003c/var\u003e'' -days 3650\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eDOMAIN\u003c/var\u003e is the domain you provided as the hostname for the environment group you created in [Create an environment group](/apigee/docs/hybrid/v1.11/precog-add-environment#create-an-environment-group).\n - \u003cvar translate=\"no\"\u003eENV_GROUP\u003c/var\u003e is the name of the environment group where the domain is specified as a hostname. It's a good practice to include the environment group name in the key and keystore name to avoid accidentally reusing the same domain value if you create keys for multiple environment groups.\n\n\n This command creates a self-signed certificate/key pair that you can use for the quickstart\n installation.\n\n\n If you have additional environment groups with unique domain names, repeat this step\n for each environment group. You will reference these groups and certificates in the cluster\n configuration step.\n2. Check to make sure the files are in the `$HYBRID_FILES/certs` directory using the following command: \n\n ```\n ls $HYBRID_FILES/certs\n ``` \n\n ```scdoc\n keystore_ENV_GROUP.key\n keystore_ENV_GROUP.pem\n ```\n\n\n Where `keystore_`\u003cvar translate=\"no\"\u003eENV_GROUP\u003c/var\u003e`.pem` is the self-signed TLS certificate file and `keystore_`\u003cvar translate=\"no\"\u003eENV_GROUP\u003c/var\u003e`.key`\n is the key file.\n\n\nYou now have the credentials needed to manage Apigee hybrid\nin your Kubernetes cluster. Next, you will create a file that is used by Kubernetes\nto deploy the hybrid runtime components to the cluster.\n[1](/apigee/docs/hybrid/v1.11/install-create-cluster) [2](/apigee/docs/hybrid/v1.11/install-cert-manager) [3](/apigee/docs/hybrid/v1.11/install-apigeectl) [4](/apigee/docs/hybrid/v1.11/install-service-accounts) [5](/apigee/docs/hybrid/v1.11/install-create-tls-certificates) [(NEXT) Step 6: Configure the cluster](/apigee/docs/hybrid/v1.11/install-configure-cluster) [7](/apigee/docs/hybrid/v1.11/install-enable-synchronizer-access) [8](/apigee/docs/hybrid/v1.11/install-check-cluster) [9](/apigee/docs/hybrid/v1.11/install-hybrid-runtime) [10](/apigee/docs/hybrid/v1.11/install-workload-identity)\n\n\u003cbr /\u003e"]]
