Apigee mTLS requires that a certificate and key exist on each node in the cluster.
To generate the certificate, Apigee recommends one of the following options:
- If you have your own, established Certificate Authority (CA): If you have your own, established CA, then use it to generate your certificate and key, as described in this section.
- If you do not have a CA: Apigee recommends that you install Consul and use it to generate the certificate/key pair. For more information, see Step 2: Install Consul and generate credentials.
This process consists of the following steps, which you must perform on each node:
- Create the private key for the node. Each node must have a unique private key.
- Create the signature config for the node. Each node must have its own signature configuration file.
- Build the request by converting the signature configuration file into a signature request file.
- Sign the request so that you can get a local key/cert pair for the node.
- Integrate all the key/cert pairs with your nodes.
Apigee recommends that you perform steps 1 through 4 for all nodes, and then perform step 5 for all nodes, rather than walking through all 5 steps for each node, one at a time.