This topic explains how to enable one-way TLS and mTLS on the ingressgateway.
Configuring one-way TLS
Use one-way TLS to secure API proxy endpoints on the ingress gateway. To enable
one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes
Secret, as explained in the following options.
Option 1: key/cert pair
Provide SSL cert and key files in the virtualhosts property in your overrides file:
Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with
corresponding host aliases, and $CERT_FILE and $KEY_FILE are TLS key and certificate
files. See Create TLS certificates.
Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with
corresponding host aliases, $CA_FILE specifies TLS certificate data (CA bundle file)
containing Certificate Authority certificates, and $CERT_FILE and
$KEY_FILE are TLS key and certificate
files. See Create TLS certificates.
Option 2: Kubernetes Secrets
Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is
for the CA. Then, add them to your overrides file.
Create two Kubernetes secrets the apigee namespace:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document provides instructions on enabling one-way TLS and mTLS on the ingress gateway for securing API proxy endpoints.\u003c/p\u003e\n"],["\u003cp\u003eOne-way TLS can be configured by providing SSL certificate and key files directly in the \u003ccode\u003evirtualhosts\u003c/code\u003e property, or by using a Kubernetes Secret that contains these files.\u003c/p\u003e\n"],["\u003cp\u003emTLS can be enabled using a key/cert pair and a CA file, where you provide TLS certificate data containing Certificate Authority certificates.\u003c/p\u003e\n"],["\u003cp\u003eAlternatively, mTLS can be configured by creating two Kubernetes Secrets, one for the SSL cert/key pair and another for the CA, and then referencing them in the \u003ccode\u003evirtualhosts\u003c/code\u003e configuration.\u003c/p\u003e\n"]]],[],null,["# Configuring TLS and mTLS on the ingress gateway\n\n| You are currently viewing version 1.14 of the Apigee hybrid documentation. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to enable one-way TLS and mTLS on the ingressgateway.\n\nConfiguring one-way TLS\n-----------------------\n\nUse one-way TLS to secure API proxy endpoints on the ingress gateway. To enable\none-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes\nSecret, as explained in the following options.\n\n### Option 1: key/cert pair\n\n\nProvide SSL cert and key files in the `virtualhosts` property in your overrides file: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n| **Note:** See\n| - [`virtualhosts.name`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-name)\n| - [`virtualhosts.sslCertPath`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-sslcertpath)\n| - [`virtualhosts.sslKeyPath`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-sslkeypath)\n|\n\nWhere \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with\ncorresponding host aliases, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and \u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate\nfiles. See [Create TLS certificates](/apigee/docs/hybrid/v1.14/install-create-tls-certificates).\n| **Tip:** For security purposes, it is best practice to have a separate TLS cert/key pair for each virtual host. If you are using a Subject Alternative Name (SAN ) certificate, this TLS cert/key pair should be used on one virtual host that is shared across the domain.\n\n### Option 2: Kubernetes Secret\n\n\nCreate a [Kubernetes\nSecret](https://kubernetes.io/docs/concepts/configuration/secret/) and add it to your overrides file.\n\n1. Create the Secret in the **apigee** namespace: \n\n ```\n kubectl create -n APIGEE_NAMESPACE secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n2. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: SIMPLE # Note: SIMPLE is the default, so it is optional.\n sslSecret: $SECRET_NAME\n ```\n| **Note:** See\n|\n| - [`virtualhosts.name`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-name)\n| - [`virtualhosts.tlsMode`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-tlsmode)\n| - [`virtualhosts.sslSecret`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-sslsecret)\n\nConfiguring mTLS\n----------------\n\n3. Instead of one-way TLS, you can configure [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) on the ingress gateway. There are two options for configuring mTLS, as explained below.\n\n### Option 1: key/cert pair and CA file\n\n4. Provide TLS certificate data containing Certificate Authority certificates: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL\n caCertPath: \"$CA_FILE\"\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n| **Note:** See\n|\n| - [`virtualhosts.name`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-name)\n| - [`virtualhosts.tlsMode`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-tlsmode)\n| - [`virtualhosts.caCertPath`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-cacertpath)\n| - [`virtualhosts.sslCertPath`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-sslcertpath)\n| - [`virtualhosts.sslKeyPath`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-sslkeypath)\n5. Where \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with corresponding host aliases, \u003cvar translate=\"no\"\u003e$CA_FILE\u003c/var\u003e specifies TLS certificate data (CA bundle file) containing Certificate Authority certificates, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and \u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate files. See [Create TLS certificates](/apigee/docs/hybrid/v1.14/install-create-tls-certificates).\n\n### Option 2: Kubernetes Secrets\n\n6. Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is for the CA. Then, add them to your overrides file.\n 1. Create two Kubernetes secrets the **apigee** namespace: \n\n ```\n kubectl create -n APIGEE_NAMESPACE secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n 2. Create a secret for the CA: \n\n ```\n kubectl create -n APIGEE_NAMESPACE secret generic $SECRET_NAME-cacert \\\n --from-file=cacert=$CA_FILE\n ```\n 3. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL # Note: Be sure to specify MUTUAL\n sslSecret: $SECRET_NAME\n ```\n | **Note:** See\n |\n | - [`virtualhosts.name`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-name)\n | - [`virtualhosts.tlsMode`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-tlsmode)\n | - [`virtualhosts.sslSecret`](/apigee/docs/hybrid/v1.14/config-prop-ref#virtualhosts-sslsecret)"]]
