This topic explains how to enable one-way TLS and mTLS on the ingressgateway.
Configuring one-way TLS
Use one-way TLS to secure API proxy endpoints on the ingress gateway. To enable
one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes
Secret, as explained in the following options.
Option 1: key/cert pair
Provide SSL cert and key files in thevirtualhostsproperty in your overrides file:
Where$ENVIRONMENT_GROUP_NAMEis the name of an environment group with
corresponding host aliases, and$CERT_FILEand$KEY_FILEare TLS key and certificate
files. SeeCreate TLS certificates.
Where$ENVIRONMENT_GROUP_NAMEis the name of an environment group with
corresponding host aliases,$CA_FILEspecifies TLS certificate data (CA bundle file)
containing Certificate Authority certificates, and$CERT_FILEand$KEY_FILEare TLS key and certificate
files. SeeCreate TLS certificates.
Option 2: Kubernetes Secrets
Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is
for the CA. Then, add them to your overrides file.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Configuring TLS and mTLS on the ingress gateway\n\nThis topic explains how to enable one-way TLS and mTLS on the ingressgateway.\n\nConfiguring one-way TLS\n-----------------------\n\nUse one-way TLS to secure API proxy endpoints on the ingress gateway. To enable\none-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes\nSecret, as explained in the following options.\n\n### Option 1: key/cert pair\n\n\nProvide SSL cert and key files in the `virtualhosts` property in your overrides file: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n| **Note:** See\n| - [`virtualhosts.name`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-name)\n| - [`virtualhosts.sslCertPath`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-sslcertpath)\n| - [`virtualhosts.sslKeyPath`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-sslkeypath)\n|\n\nWhere \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with\ncorresponding host aliases, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and \u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate\nfiles. See [Create TLS certificates](/apigee/docs/hybrid/v1.15/install-create-tls-certificates).\n| **Tip:** For security purposes, it is best practice to have a separate TLS cert/key pair for each virtual host. If you are using a Subject Alternative Name (SAN ) certificate, this TLS cert/key pair should be used on one virtual host that is shared across the domain.\n\n### Option 2: Kubernetes Secret\n\n\nCreate a [Kubernetes\nSecret](https://kubernetes.io/docs/concepts/configuration/secret/) and add it to your overrides file.\n\n1. Create the Secret in the **apigee** namespace: \n\n ```\n kubectl create -n APIGEE_NAMESPACE secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n2. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: SIMPLE # Note: SIMPLE is the default, so it is optional.\n sslSecret: $SECRET_NAME\n ```\n| **Note:** See\n|\n| - [`virtualhosts.name`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-name)\n| - [`virtualhosts.tlsMode`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-tlsmode)\n| - [`virtualhosts.sslSecret`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-sslsecret)\n\nConfiguring mTLS\n----------------\n\n3. Instead of one-way TLS, you can configure [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) on the ingress gateway. There are two options for configuring mTLS, as explained below.\n\n### Option 1: key/cert pair and CA file\n\n4. Provide TLS certificate data containing Certificate Authority certificates: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL\n caCertPath: \"$CA_FILE\"\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n| **Note:** See\n|\n| - [`virtualhosts.name`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-name)\n| - [`virtualhosts.tlsMode`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-tlsmode)\n| - [`virtualhosts.caCertPath`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-cacertpath)\n| - [`virtualhosts.sslCertPath`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-sslcertpath)\n| - [`virtualhosts.sslKeyPath`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-sslkeypath)\n5. Where \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with corresponding host aliases, \u003cvar translate=\"no\"\u003e$CA_FILE\u003c/var\u003e specifies TLS certificate data (CA bundle file) containing Certificate Authority certificates, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and \u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate files. See [Create TLS certificates](/apigee/docs/hybrid/v1.15/install-create-tls-certificates).\n\n### Option 2: Kubernetes Secrets\n\n6. Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is for the CA. Then, add them to your overrides file.\n 1. Create two Kubernetes secrets the **apigee** namespace: \n\n ```\n kubectl create -n APIGEE_NAMESPACE secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n 2. Create a secret for the CA: \n\n ```\n kubectl create -n APIGEE_NAMESPACE secret generic $SECRET_NAME-cacert \\\n --from-file=cacert=$CA_FILE\n ```\n 3. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL # Note: Be sure to specify MUTUAL\n sslSecret: $SECRET_NAME\n ```\n | **Note:** See\n |\n | - [`virtualhosts.name`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-name)\n | - [`virtualhosts.tlsMode`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-tlsmode)\n | - [`virtualhosts.sslSecret`](/apigee/docs/hybrid/v1.15/config-prop-ref#virtualhosts-sslsecret)"]]
