After you generate a signature request file, you must sign the request.
To sign the *.csr file, execute the following command:
openssl x509 -req \ -CA CA_PUBLIC_CERT \ -CAkey CA_PRIVATE_KEY \ -extensions cert_ext \ -set_serial 1 \ -extfile SIGNATURE_CONFIGURATION \ -in SIGNATURE_REQUEST \ -out LOCAL_CERTIFICATE_OUTPUT
Where:
- CA_PUBLIC_CERT is the path to your Certificate Authority's public key.
- CA_PRIVATE_KEY is the path to your Certificate Authority's private key.
- SIGNATURE_CONFIGURATION is the path to the file that you created in Step 2: Create the local signature config file.
- SIGNATURE_REQUEST is the path to the file that you created in Build the signature request.
- LOCAL_CERTIFICATE_OUTPUT is the path at which this command creates the node's certificate.
This command generates the local_cert.pem
and local_key.pem
files. You
can use these files on a single node only in the Apigee mTLS installation. Each node must have its
own key/cert pair.
The following example shows a successful response for this command:
user@host:~/certificate_example$ openssl x509 -req \ -CA certificate.pem \ -CAkey key.pem \ -extensions cert_ext \ -set_serial 1 \ -extfile request_for_sig \ -in temp_request.csr \ -out local_cert.pem Signature ok subject=C = US, ST = CA, L = San Jose, O = Google, OU = Google-Cloud, CN = Apigee Getting CA Private Key user@host:~/certificate_example$ ls certificate.pem key.pem local_cert.pem local_key.pem request_for_sig temp_request.csr
Your custom certificate/key pair is good for 365 days by default. You can configure the number
of days by using the APIGEE_MTLS_NUM_DAYS_CERT_VALID_FOR
property, as described in
Step 1: Update your configuration file.