This topic explains how to enable one-way TLS and mTLS on the ingressgateway.
Configuring one-way TLS
Use one-way TLS to secure API proxy endpoints on the ingress gateway. To enable
one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes
Secret, as explained in the following options.
Option 1: key/cert pair
Provide SSL cert and key files in thevirtualhostsproperty in your overrides file:
Where$ENVIRONMENT_GROUP_NAMEis the name of an environment group with
corresponding host aliases, and$CERT_FILEand$KEY_FILEare TLS key and certificate
files. SeeCreate TLS certificates.
Where$ENVIRONMENT_GROUP_NAMEis the name of an environment group with
corresponding host aliases,$CA_FILEspecifies TLS certificate data (CA bundle file)
containing Certificate Authority certificates, and$CERT_FILEand$KEY_FILEare TLS key and certificate
files. SeeCreate TLS certificates.
Option 2: Kubernetes Secrets
Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is
for the CA. Then, add them to your overrides file.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document provides instructions on how to enable one-way TLS and mTLS on the ingress gateway to secure API proxy endpoints.\u003c/p\u003e\n"],["\u003cp\u003eOne-way TLS can be configured by providing SSL certificate and key files directly within the \u003ccode\u003evirtualhosts\u003c/code\u003e property or by using a Kubernetes Secret containing these files.\u003c/p\u003e\n"],["\u003cp\u003emTLS can be enabled using a key/cert pair along with a CA file in the \u003ccode\u003evirtualhosts\u003c/code\u003e property, or by utilizing two separate Kubernetes Secrets, one for the SSL cert/key pair and another for the CA.\u003c/p\u003e\n"],["\u003cp\u003eWhen using Kubernetes Secrets for either one-way TLS or mTLS, the secrets should be created in the \u003ccode\u003eapigee\u003c/code\u003e namespace, and the corresponding \u003ccode\u003evirtualhosts\u003c/code\u003e properties in the overrides file should be configured to reference these secrets.\u003c/p\u003e\n"],["\u003cp\u003eIt's best security practice to utilize a separate TLS cert/key pair for each virtual host, and if using a Subject Alternative Name (SAN) certificate, this TLS cert/key pair should only be shared across a single domain.\u003c/p\u003e\n"]]],[],null,["# Configuring TLS and mTLS on the ingress gateway\n\n| You are currently viewing version 1.12 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to enable one-way TLS and mTLS on the ingressgateway.\n\nConfiguring one-way TLS\n-----------------------\n\nUse one-way TLS to secure API proxy endpoints on the ingress gateway. To enable\none-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes\nSecret, as explained in the following options.\n\n### Option 1: key/cert pair\n\n\nProvide SSL cert and key files in the `virtualhosts` property in your overrides file: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n\n\nWhere \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with\ncorresponding host aliases, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and \u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate\nfiles. See [Create TLS certificates](/apigee/docs/hybrid/v1.12/install-create-tls-certificates).\n| **Tip:** For security purposes, it is best practice to have a separate TLS cert/key pair for each virtual host. If you are using a Subject Alternative Name (SAN ) certificate, this TLS cert/key pair should be used on one virtual host that is shared across the domain.\n\n### Option 2: Kubernetes Secret\n\n\nCreate a [Kubernetes\nSecret](https://kubernetes.io/docs/concepts/configuration/secret/) and add it to your overrides file.\n\n1. Create the Secret in the **apigee** namespace: \n\n ```\n kubectl create -n apigee secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n2. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: SIMPLE # Note: SIMPLE is the default, so it is optional.\n sslSecret: $SECRET_NAME\n ```\n\nConfiguring mTLS\n----------------\n\n\nInstead of one-way TLS, you can configure\n[mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) on the\ningress gateway. There are two options for configuring mTLS, as explained below.\n\n### Option 1: key/cert pair and CA file\n\n\nProvide TLS\ncertificate data containing Certificate Authority certificates: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL\n caCertPath: \"$CA_FILE\"\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n\n\nWhere \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with\ncorresponding host aliases, \u003cvar translate=\"no\"\u003e$CA_FILE\u003c/var\u003e specifies TLS certificate data (CA bundle file)\ncontaining Certificate Authority certificates, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and\n\u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate\nfiles. See [Create TLS certificates](/apigee/docs/hybrid/v1.12/install-create-tls-certificates).\n\n### Option 2: Kubernetes Secrets\n\nCreate two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is\nfor the CA. Then, add them to your overrides file.\n\n1. Create two Kubernetes secrets the **apigee** namespace: \n\n ```\n kubectl create -n apigee secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n2. Create a secret for the CA: \n\n ```\n kubectl create -n apigee secret generic $SECRET_NAME-cacert \\\n --from-file=cacert=$CA_FILE\n ```\n3. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL # Note: Be sure to specify MUTUAL\n sslSecret: $SECRET_NAME\n ```"]]
