Step 5: Integrate the custom certificate

The standard installation for Apigee mTLS is to perform the following general steps:

/opt/apigee/apigee-service apigee-mtls install
/opt/apigee/apigee-service apigee-mtls setup -f /opt/silent.conf
/opt/apigee/apigee-service apigee-mtls start

For custom certificate installation, you must perform additional steps, as described in this section.

To integrate your custom certificates with Apigee mTLS, you copy the following files to both the /certs and /source directories on each node in the cluster. You do this during the installation:

  • Generated local_key.pem (unique to each node)
  • Generated local_cert.pem (unique to each node)
  • The Certificate Authority's certificate.pem
  • The Certificate Authority's key.pem

For example, the installation steps for Apigee mTLS with a custom certificate are as follows:

/opt/apigee/apigee-service apigee-mtls install
/opt/apigee/apigee-service apigee-mtls setup -f /opt/silent.conf

Copy the local generated certificate
cp PATH_TO_LOCAL_CERT /opt/apigee/apigee-mtls/certs/local_cert.pem
cp PATH_TO_LOCAL_CERT /opt/apigee/apigee-mtls/source/certs/local_cert.pem

Copy the local generated key
cp PATH_TO_LOCAL_KEY /opt/apigee/apigee-mtls/certs/local_key.pem
cp PATH_TO_LOCAL_KEY /opt/apigee/apigee-mtls/source/certs/local_key.pem

Copy the CA's certificate
cp PATH_TO_CA_CERT /opt/apigee/apigee-mtls/certs/ca_cert.pem
cp PATH_TO_CA_CERT /opt/apigee/apigee-mtls/source/certs/ca_cert.pem

Copy the CA's key
cp PATH_TO_CA_KEY /opt/apigee/apigee-mtls/certs/ca_key.pem
cp PATH_TO_CA_KEY /opt/apigee/apigee-mtls/source/certs/ca_key.pem

/opt/apigee/apigee-service apigee-mtls start

This process overrides the certificates that were generated during the initial setup.

After you complete the integration of the new certificates, you can verify that they are valid by using the instructions in Verify the certificate.