This step explains how to create the TLS credentials
that are required for Apigee hybrid to operate.
Create TLS certificates
You are required to provide TLS certificates for the runtime ingress gateway in your
Apigee hybrid configuration. For the purpose of this quickstart (a non-production trial installation),
the runtime gateway can accept self-signed credentials. In the following steps,
openssl is used to generate the self-signed credentials.
In this step, you will create the TLS credential files and add them to
the $HYBRID_FILES/certs directory.
In
Step 6: Configure the cluster, you will add the file paths to the cluster
configuration file.
Execute the following command to create the credential files and store them in your
$HYBRID_FILES/certs directory:
DOMAIN is the domain you provided as the hostname for the environment
group you created in Create an environment group.
ENV_GROUP is the name of the environment group where the domain is specified
as a hostname. It's a good practice to include the environment group name in the key and keystore
name to avoid accidentally reusing the same domain value if you create keys for multiple environment groups.
This command creates a self-signed certificate/key pair that you can use for the quickstart
installation.
If you have additional environment groups with unique domain names, just repeat this step
for each one. You will reference these groups and certificates in the cluster configuration
step.
Check to make sure the files are in the $HYBRID_FILES/certs directory using the following command:
ls $HYBRID_FILES/certs
keystore_ENV_GROUP.key
keystore_ENV_GROUP.pem
Where keystore_ENV_GROUP.pem is the self-signed TLS certificate file and keystore_ENV_GROUP.key
is the key file.
You now have the credentials needed to manage Apigee hybrid
in your Kubernetes cluster. Next, you will create a file that is used by Kubernetes
to deploy the hybrid runtime components to the cluster.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThis guide provides instructions for creating TLS credentials, specifically for the runtime ingress gateway in an Apigee hybrid configuration.\u003c/p\u003e\n"],["\u003cp\u003eFor quickstart, non-production installations, self-signed TLS certificates can be generated using \u003ccode\u003eopenssl\u003c/code\u003e, and a production environment requires signed certificates.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves creating a self-signed certificate and key pair and storing them in the \u003ccode\u003e$HYBRID_FILES/certs\u003c/code\u003e directory, which will be referenced later in the cluster configuration.\u003c/p\u003e\n"],["\u003cp\u003eThe provided \u003ccode\u003eopenssl\u003c/code\u003e command requires the domain name and environment group name as parameters to create unique TLS credentials for each environment group.\u003c/p\u003e\n"],["\u003cp\u003eThe generated TLS files, keystore_ENV_GROUP.pem and keystore_ENV_GROUP.key, are now ready to be used in managing Apigee hybrid within the Kubernetes cluster.\u003c/p\u003e\n"]]],[],null,["| You are currently viewing version 1.10 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nThis step explains how to create the TLS credentials\nthat are required for Apigee hybrid to operate.\n\nCreate TLS certificates\n\n\nYou are required to provide TLS certificates for the runtime ingress gateway in your\nApigee hybrid configuration. For the purpose of this quickstart (a non-production trial installation),\nthe runtime gateway can accept self-signed credentials. In the following steps,\n[openssl](https://www.openssl.org/) is used to generate the self-signed credentials.\n| **Note:** In a production environment, you will need to use signed certificates. You can either use either a certificate and key pair or a Kubernetes secret. For an example on how to obtain a TLS certificate from the *Lets Encrypt* certificate authority (CA), see [Obtain TLS credentials: An example](/apigee/docs/hybrid/v1.10/lets-encrypt).\n\n\nIn this step, you will create the TLS credential files and add them to\nthe `$HYBRID_FILES/certs` directory.\nIn [Step 6: Configure the cluster](/apigee/docs/hybrid/v1.10/install-configure-cluster), you will add the file paths to the cluster\nconfiguration file.\n\n1. Execute the following command to create the credential files and store them in your `$HYBRID_FILES/certs` directory: \n\n ```\n openssl req -nodes -new -x509 -keyout $HYBRID_FILES/certs/keystore_$ENV_GROUP.key -out \\\n $HYBRID_FILES/certs/keystore_$ENV_GROUP.pem -subj '/CN='\u003cvar translate=\"no\"\u003e$DOMAIN\u003c/var\u003e'' -days 3650\n ```\n\n\n Where:\n - \u003cvar translate=\"no\"\u003eDOMAIN\u003c/var\u003e is the domain you provided as the hostname for the environment group you created in [Create an environment group](/apigee/docs/hybrid/v1.10/precog-add-environment#create-an-environment-group).\n - \u003cvar translate=\"no\"\u003eENV_GROUP\u003c/var\u003e is the name of the environment group where the domain is specified as a hostname. It's a good practice to include the environment group name in the key and keystore name to avoid accidentally reusing the same domain value if you create keys for multiple environment groups.\n\n\n This command creates a self-signed certificate/key pair that you can use for the quickstart\n installation.\n\n\n If you have additional environment groups with unique domain names, just repeat this step\n for each one. You will reference these groups and certificates in the cluster configuration\n step.\n2. Check to make sure the files are in the `$HYBRID_FILES/certs` directory using the following command: \n\n ```\n ls $HYBRID_FILES/certs\n ``` \n\n ```scdoc\n keystore_ENV_GROUP.key\n keystore_ENV_GROUP.pem\n ```\n\n\n Where `keystore_`\u003cvar translate=\"no\"\u003eENV_GROUP\u003c/var\u003e`.pem` is the self-signed TLS certificate file and `keystore_`\u003cvar translate=\"no\"\u003eENV_GROUP\u003c/var\u003e`.key`\n is the key file.\n\n\nYou now have the credentials needed to manage Apigee hybrid\nin your Kubernetes cluster. Next, you will create a file that is used by Kubernetes\nto deploy the hybrid runtime components to the cluster.\n[1](/apigee/docs/hybrid/v1.10/install-create-cluster) [2](/apigee/docs/hybrid/v1.10/install-cert-manager) [3](/apigee/docs/hybrid/v1.10/install-apigeectl) [4](/apigee/docs/hybrid/v1.10/install-service-accounts) [5](/apigee/docs/hybrid/v1.10/install-create-tls-certificates) [(NEXT) Step 6: Configure the cluster](/apigee/docs/hybrid/v1.10/install-configure-cluster) [7](/apigee/docs/hybrid/v1.10/install-enable-synchronizer-access) [8](/apigee/docs/hybrid/v1.10/install-check-cluster) [9](/apigee/docs/hybrid/v1.10/install-hybrid-runtime) [10](/apigee/docs/hybrid/v1.10/install-expose-apigee-ingress) [11](/apigee/docs/hybrid/v1.10/install-deploy-proxy)\n\n\u003cbr /\u003e"]]
