For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
      • Upgrade Astronomer
      • Apply a config change
        • Configure a secrets backend
        • Bring your own service accounts
        • Configure a custom image registry
        • Third-Party ingress controllers
        • Generate self-signed certificates
        • Renew a TLS certificate
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Prerequisites
  • Setup
  • Inspect your self-signed certificate
AdministrationSecurity and compliance

Generate self-signed TLS certificates

Edit this page
Built with

This guide describes the steps to generate a self-signed certificate to use with Astronomer Software.

Self-signed certificates are ideal for privately hosted internal applications, as well as in development and testing environments. Avoid using self-signed certificates in installations where the trust and identity of the certificate issuer are important.

Prerequisites

  • openssl. You can install it through Homebrew on MacOs, Windows installer on Windows, or apt-get on Linux.

Setup

Run the following set of commands, and answer the questions when prompted.

  1. Run the following command to create a private key:

    $openssl genrsa -aes256 -passout pass:gsahdg -out server.pass.key 4096

  2. Run the following command to make a password-less second key based on the first key you created:

    $openssl rsa -passin pass:gsahdg -in server.pass.key -out server.key

  3. Run the following command to delete the first key:

    $rm server.pass.key

  4. Run the following command to create a certificate signing request using the password-less private key. You will be asked to provide information to sign the certificate. Make sure the Common Name matches your DNS record, for example *.astro.example.com.

    $openssl req -new -key server.key -out server.csr

    When openssl asks for a challenge password, press Enter to leave the password empty. Kubernetes does not natively support challenge passwords for certificates stored as Secrets.

  5. Run the following command to create the certificate from your private key and signing request:

    $openssl x509 -req -sha256 -days 365 -in server.csr \
    >-signkey server.key -out server.crt \
    >-extfile <(printf "subjectAltName=DNS:*.astro.<your-basedomain>,DNS:astro.<your-basedomain>")

    Make sure the Subject Alternative Name matches the required domain and subdomains. To generate a wildcard certificate, both the base domain and the wildcard domain must be included. To generate a limited multi-domain certificate, add individual SAN entries for each subdomain.

The certificate file server.crt and private key file server.key can now be used in your Astronomer Software installation.

Inspect your self-signed certificate

Run the following command to inspect your self-signed certificate:

$openssl x509 -in server.crt -text -noout

Confirm that the X509v3 Subject Alternative Name section of the certificate includes your Astronomer base domain (<your-basedomain>) as well as the wildcard domain (*.<your-basedomain>).