Mutual TLS ?
For authenticating your in-prem system.
- create or provision a signed certificate for your on-prem system. It should use the DNS name that will resolve to the IP address of your target system. Maybe internal-endpoint.api.mycompany.com . You can use a self-signed cert, but it's better to get a cert from a Certificate Authority (CA). Your company probably has one that you use for the web property, but if you don't you can use a free CA like Letsencrypt.
- Install the private key on the http endpoint in your on-prem system.
- Install the corresponding cert (or cert chain as appropriate) in a trust-store in the Apigee Edge cloud, and configure the SSLInfo for the target endpoint to point to that truststore.
For authenticating Apigee Edge
- create or provision a separate TLS cert for the "client". This need not have any hostname but should have a Common Name associated to the Apigee Edge SaaS/. Maybe "apigee-client.api.mycompany.com"
- install the private key into a keystore in Apigee Edge.
- configure the SSLInfo in the TargetEndpoint to use that Keystore for authentication.
- configure your on-prem system to authenticate clients, and use the corresponding cert from step 1 for the trust store on the on-prem side.
This is described in much greater detail here:
https://docs.apigee.com/api-platform/system-administration/configuring-ssl-edge-backend-service