Step 4: Sign the signature request

After you generate a signature request file, you must sign the request.

To sign the *.csr file, execute the following command:

openssl x509 -req \
  -extensions cert_ext \
  -set_serial 1 \


  • CA_PUBLIC_CERT is the path to your Certificate Authority's public key.
  • CA_PRIVATE_KEY is the path to your Certificate Authority's private key.
  • SIGNATURE_CONFIGURATION is the path to the file that you created in Step 2: Create the local signature config file.
  • SIGNATURE_REQUEST is the path to the file that you created in Build the signature request.
  • LOCAL_CERTIFICATE_OUTPUT is the path at which this command creates the node's certificate.

This command generates the local_cert.pem and local_key.pem files. You can use these files on a single node only in the Apigee mTLS installation. Each node must have its own key/cert pair.

The following example shows a successful response for this command:

user@host:~/certificate_example$ openssl x509 -req \
  -CA certificate.pem \
  -CAkey key.pem \
  -extensions cert_ext \
  -set_serial 1 \
  -extfile request_for_sig \
  -in temp_request.csr \
  -out local_cert.pem

Signature ok
subject=C = US, ST = CA, L = San Jose, O = Google, OU = Google-Cloud, CN = Apigee
Getting CA Private Key

user@host:~/certificate_example$ ls

certificate.pem  key.pem  local_cert.pem  local_key.pem  request_for_sig  temp_request.csr

Your custom certificate/key pair is good for 365 days by default. You can configure the number of days by using the APIGEE_MTLS_NUM_DAYS_CERT_VALID_FOR property, as described in Step 1: Update your configuration file.

Next Step

1 2 3 4 NEXT: (5) Integrate