When configuring a TargetServer to support TLS, you specify a keystore or truststore by using
a reference. A reference is a variable that contains the name of the keystore or truststore,
rather than specifying the keystore or truststore name directly.
A reference can be represented by an XML object like the one below:
The advantage to using a reference is that you can change the value of the reference to change
the keystore used by the target server, usually because the cert in the current keystore is
expiring in the near future.
You can only use a reference to the keystore and truststore; you cannot use a reference to the
alias. When you change the reference to a keystore, ensure that the alias name of the cert is the
same as in the old keystore.
Restrictions on using references to keystores and truststore
If you have a load balancer and terminate TLS on the
load balancer, then you cannot use keystore and truststore references in the target server.
Create a reference
You can use the Apigee UI or API to create a new reference.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis documentation applies to both Apigee and Apigee hybrid platforms, focusing on TargetServer TLS configurations.\u003c/p\u003e\n"],["\u003cp\u003eReferences are variables used to specify keystores or truststores in TLS configurations, allowing for easy updates without direct name changes.\u003c/p\u003e\n"],["\u003cp\u003eUsing references for keystores or truststores allows you to change the keystore utilized by the target server, typically for certificate renewals, without needing to change the alias.\u003c/p\u003e\n"],["\u003cp\u003eReferences for keystores and truststores are incompatible with load balancers that terminate TLS.\u003c/p\u003e\n"],["\u003cp\u003eReferences can be created and modified via both the Apigee UI and API, which include steps and code examples.\u003c/p\u003e\n"]]],[],null,["# Working with References\n\n*This page\napplies to **Apigee** and **Apigee hybrid**.*\n\n\n*View [Apigee Edge](https://docs.apigee.com/api-platform/get-started/what-apigee-edge) documentation.*\n\nWhen configuring a TargetServer to support TLS, you specify a keystore or truststore by using\na reference. A reference is a variable that contains the name of the keystore or truststore,\nrather than specifying the keystore or truststore name directly.\n\nA reference can be represented by an XML object like the one below: \n\n```xml\n \u003creference\u003e\n \u003cname\u003eReferenceName\u003c/name\u003e\n \u003cdescription\u003eReferencDescription\u003c/description\u003e\n \u003cresourceType\u003eReferredResourceType\u003cresourceType\u003e\n \u003crefers\u003eReferredResource\u003crefers\u003e\n \u003c/reference\u003e\n```\n\nThe advantage to using a reference is that you can change the value of the reference to change\nthe keystore used by the target server, usually because the cert in the current keystore is\nexpiring in the near future.\n\nYou can only use a reference to the keystore and truststore; you cannot use a reference to the\nalias. When you change the reference to a keystore, ensure that the alias name of the cert is the\nsame as in the old keystore.\n\n#### Restrictions on using references to keystores and truststore\n\nIf you have a load balancer and terminate TLS on the\nload balancer, then you cannot use keystore and truststore references in the target server.\n\nCreate a reference\n------------------\n\nYou can use the Apigee UI or API to create a new reference.\n\n### Apigee in Google Cloud console\n\nTo create a reference using the Google Cloud console:\n\n1. In the Google Cloud console, go to the **Management \\\u003e Environments** page.\n\n [Go to Environments](https://console.cloud.google.com/apigee/environments)\n2. Select the desired environment where you want to create the reference.\n\n3. Click the **References** tab.\n\n4. Click **Create Reference**.\n\n5. In the **Create Reference** pane, enter the following details:\n - **Name**: The name of the reference.\n - **Keystore**: The keystore to which the reference points.\n6. Click **Create**.\n\n### Classic UI\n\nTo create a reference using the UI:\n\n1. Log in to the [Apigee UI](https://apigee.google.com).\n2. Select the name of your organization.\n3. Select **Admin \\\u003e Environments \\\u003e References**.\n4. Select the Environment (typically `prod` or `test`).\n5. Select the **+ Reference** button.\n6. In the **Add Reference** pop-up:\n 1. Add the **Name** of the reference.\n 2. Select the **Reference**, the referred keystore or truststore.\n 3. Select **Add Reference**.\n\n### API\n\nTo create a reference using the [Create\nReference](https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations.environments.references/create) API call: \n\n```\n curl -H \"Authorization: Bearer $TOKEN\" \\\n -X POST \\\n -d '{\n \"reference\": {\n \"name\": MyReferenceName\",\n \"resourceType\": \"KeyStore\",\n \"refers\": \"KeyStoreID\"\n }\n }' \\\n https://apigee.googleapis.com/v1/{parent=organizations/*/environments/*}/references\n```\n\nModify a reference\n------------------\n\nYou can use the Apigee UI or API to modify an existing reference.\n\n### Apigee in Google Cloud console\n\nTo modify a reference using the Google Cloud console:\n\n1. In the Google Cloud console, go to the **Management \\\u003e Environments** page.\n\n [Go to Environments](https://console.cloud.google.com/apigee/environments)\n2. Select the desired environment where you want to modify the reference.\n\n3. Click the **References** tab.\n\n4. In the displayed list, select the reference that you want to modify.\n\n5. Click more_vert **Actions** \\\u003e **Edit**.\n\n6. In the **Edit Reference** pane, update the reference to specify the new keystore.\n7. Click **Update**.\n\n### Classic Apigee UI\n\nTo modify the value of a reference in the UI:\n\n1. Log in to the [Apigee UI](https://apigee.google.com).\n2. Select the name of your organization.\n3. Select **Admin \\\u003e Environments \\\u003e References**.\n4. Select the Environment (typically `prod` or `test`).\n5. Select the **Edit** button for the reference.\n6. Update the reference to specify the new keystore or truststore. **Caution**: Ensure that the alias in the new keystore has the same name as the alias in the old keystore.\n7. Save your updates.\n\n### API\n\nTo change the reference to point to a different keystore, ensuring that the alias in the new\nkeystore has the same name as the alias in the old keystore, use the [Update Reference](https://cloud.google.com/apigee/docs/reference/apis/apigee/rest/v1/organizations.environments.references/update) API: \n\n```\n curl -H \"Authorization: Bearer $TOKEN\" \\\n -X PUT \\\n -d '{\n \"name\": \"MyReferenceName\",\n \"resourceType\": \"KeyStore\",\n \"refers\": \"KeyStoreID\"\n }' \\\n https://apigee.googleapis.com/v1/{name=organizations/*/environments/*/references/*}\n \n```"]]
