Use a custom certificate

Apigee mTLS requires that a certificate and key exist on each node in the cluster.

To generate the certificate, choose one of the following options:

  • If you have your own, established Certificate Authority (CA): Use it to generate your certificate and key, as described in this section.
  • If you do not have a CA: Apigee recommends that you install Consul and use it to generate the certificate/key pair. For more information, see Step 2: Install Consul and generate credentials.

This process consists of the following steps, which you must perform on each node:

  1. Create the private key for the node. Each node must have a unique private key.
  2. Create the signature config for the node. Each node must have its own signature configuration file.
  3. Build the request by converting the signature configuration file into a signature request file.
  4. Sign the request so that you can get a local key/cert pair for the node.
  5. Integrate all the key/cert pairs with your nodes.

Apigee recommends that you perform steps 1 through 4 for all nodes, and then perform step 5 for all nodes, rather than walking through all 5 steps for each node, one at a time.

Get Started!