Edge for Private Cloud v4.19.01
Apigee mTLS requires that a certificate and key exist on each node in the cluster.
You can use an existing Certificate Authority's (CA) certificate and key, as described in this section. Alternatively, you can use the ones created by the new CA, as described in Step 2: Install Consul and generate credentials.
This procedure is complex, time consuming, and prone to errors. As a result, Apigee recommends that if you are testing or evaluating Apigee mTLS, you use the Consul CA to generate the certificate/key pair.
This process consists of the following steps, which you must perform on each node:
- Create the private key for the node. Each node must have a unique private key.
- Create the signature config for the node. Each node must have its own signature configuration file.
- Build the request by converting the signature configuration file into a signature request file.
- Sign the request so that you can get a local key/cert pair for the node.
- Integrate all the key/cert pairs with your nodes.
Apigee recommends that you perform steps 1 through 4 for all nodes, and then perform step 5 for all nodes, rather than walking through all 5 steps for each node, one at a time.