This topic explains how to enable one-way TLS and mTLS on the ingressgateway .
Configuring one-way TLS
Use one-way TLS to secure API proxy endpoints on the ingress gateway. To enable
one-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes
Secret, as explained in the following options.
Option 1: key/cert pair
Provide SSL cert and key files in the virtualhosts property in your overrides file:
Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with
corresponding host aliases, and $CERT_FILE and $KEY_FILE are TLS key and certificate
files. See Create TLS certificates.
Where $ENVIRONMENT_GROUP_NAME is the name of an environment group with
corresponding host aliases, $CA_FILE is an authorized certificate, and $CERT_FILE and
$KEY_FILE are TLS key and certificate
files. See Create TLS certificates.
Option 2: Kubernetes Secrets
Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is
for the CA. Then, add them to your overrides file.
Create two Kubernetes secrets in one ofthe two following namespaces:
apigee namespace if you are using Apigee ingress gateway.
istio-system namespace if you are using customer-installed Anthos Service Mesh.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis documentation explains how to enable one-way TLS or mTLS on the Apigee ingress gateway to secure API proxy endpoints.\u003c/p\u003e\n"],["\u003cp\u003eOne-way TLS can be configured by providing SSL certificate/key pairs in the \u003ccode\u003evirtualhosts\u003c/code\u003e property of the overrides file, or by using a Kubernetes Secret.\u003c/p\u003e\n"],["\u003cp\u003emTLS configuration requires either a Certificate Authority (CA) certificate along with SSL certificate/key files in the \u003ccode\u003evirtualhosts\u003c/code\u003e property, or the use of two Kubernetes Secrets, one for the SSL cert/key pair and one for the CA.\u003c/p\u003e\n"],["\u003cp\u003eKubernetes Secrets for both one-way TLS and mTLS can be created in either the \u003ccode\u003eapigee\u003c/code\u003e namespace for the Apigee ingress gateway, or in the \u003ccode\u003eistio-system\u003c/code\u003e namespace for customer-installed Anthos Service Mesh.\u003c/p\u003e\n"],["\u003cp\u003eThe current version of the Apigee hybrid documentation (v1.8) is end of life and users should upgrade to a newer version.\u003c/p\u003e\n"]]],[],null,["# Configuring TLS and mTLS on the ingress gateway\n\n| You are currently viewing version 1.8 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nThis topic explains how to enable one-way TLS and mTLS on the ingressgateway .\n\nConfiguring one-way TLS\n-----------------------\n\nUse one-way TLS to secure API proxy endpoints on the ingress gateway. To enable\none-way TLS, you configure the ingress with TLS cert/key pairs or with a Kubernetes\nSecret, as explained in the following options.\n\n### Option 1: key/cert pair\n\n\nProvide SSL cert and key files in the `virtualhosts` property in your overrides file: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n\n\nWhere \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with\ncorresponding host aliases, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and \u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate\nfiles. See [Create TLS certificates](/apigee/docs/hybrid/v1.8/install-create-tls-certificates).\n\n### Option 2: Kubernetes Secret\n\n\nCreate a [Kubernetes\nSecret](https://kubernetes.io/docs/concepts/configuration/secret/) and add it to your overrides file.\n\n1. Create the Secret in one of the two following namespaces:\n - **apigee** namespace if you are using Apigee ingress gateway.\n - **istio-system** namespace if you are using customer-installed Anthos Service Mesh.\n\n ### Apigee ingress gateway\n\n ```\n kubectl create -n apigee secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n\n ### Anthos Service Mesh\n\n ```\n kubectl create -n istio-system secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n2. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: SIMPLE # Note: SIMPLE is the default, so it is optional.\n sslSecret: $SECRET_NAME\n ```\n\nConfiguring mTLS\n----------------\n\n\nInstead of one-way TLS, you can configure\n[mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) on the\ningress gateway. There are two options for configuring mTLS, as explained below.\n\n### Option 1: key/cert pair and CA file\n\n\nProvide a Certificate Authority (CA) certificate with SSL cert and key files in the\n`virtualhosts` property in your overrides file: \n\n```scdoc\nvirtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL\n caCertPath: \"$CA_FILE\"\n sslCertPath: \"$CERT_FILE\"\n sslKeyPath: \"$KEY_FILE\"\n```\n\n\nWhere \u003cvar translate=\"no\"\u003e$ENVIRONMENT_GROUP_NAME\u003c/var\u003e is the name of an environment group with\ncorresponding host aliases, \u003cvar translate=\"no\"\u003e$CA_FILE\u003c/var\u003e is an authorized certificate, and \u003cvar translate=\"no\"\u003e$CERT_FILE\u003c/var\u003e and\n\u003cvar translate=\"no\"\u003e$KEY_FILE\u003c/var\u003e are TLS key and certificate\nfiles. See [Create TLS certificates](/apigee/docs/hybrid/v1.8/install-create-tls-certificates).\n\n### Option 2: Kubernetes Secrets\n\nCreate two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is\nfor the CA. Then, add them to your overrides file.\n\n1. Create two Kubernetes secrets in one ofthe two following namespaces:\n - **apigee** namespace if you are using Apigee ingress gateway.\n - **istio-system** namespace if you are using customer-installed Anthos Service Mesh.\n\n ### Apigee ingress gateway\n\n ```\n kubectl create -n apigee secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n\n ### Anthos Service Mesh\n\n ```\n kubectl create -n istio-system secret generic $SECRET_NAME \\\n --from-file=key=$KEY_FILE \\\n --from-file=cert=$CERT_FILE\n ```\n2. Create a secret for the CA:\n\n ### Apigee ingress gateway\n\n ```\n kubectl create -n apigee secret generic $SECRET_NAME-cacert \\\n --from-file=cacert=$CA_FILE\n ```\n\n ### Anthos Service Mesh\n\n ```\n kubectl create -n istio-system secret generic $SECRET_NAME-cacert \\\n --from-file=cacert=$CA_FILE\n ```\n3. Configure the `virtualhosts` property in your overrides file: \n\n ```scdoc\n virtualhosts:\n - name: $ENVIRONMENT_GROUP_NAME\n tlsMode: MUTUAL # Note: Be sure to specify MUTUAL\n sslSecret: $SECRET_NAME\n ```"]]
