Configuring TLS and mTLS on the ingress gateway
This topic explains how to enable one-way TLS and mTLS on the ingressgateway.
Configuring one-way TLS
Use one-way TLS to secure API proxy endpoints on the ingress gateway. To enable one-way TLS, you configure the ingress with TLS cert/key pairs or with a KubernetesSecret, as explained in the following options.
Option 1: key/cert pair
Provide SSL cert and key files in thevirtualhosts property in your overrides file:
virtualhosts:- name:$ENVIRONMENT_GROUP_NAME sslCertPath: "$CERT_FILE" sslKeyPath: "$KEY_FILE"virtualhosts.namevirtualhosts.sslCertPathvirtualhosts.sslKeyPathWhere$ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases, and$CERT_FILE and$KEY_FILE are TLS key and certificate files. SeeCreate TLS certificates.
Tip: For security purposes, it is best practice to have a separate TLS cert/key pair for each virtual host. If you are using a Subject Alternative Name (SAN ) certificate, this TLS cert/key pair should be used on one virtual host that is shared across the domain.Option 2: Kubernetes Secret
Create aKubernetes Secret and add it to your overrides file.
- Create the Secret in the
apigeenamespace:kubectl create -nAPIGEE_NAMESPACE secret generic$SECRET_NAME \ --from-file=key=$KEY_FILE \ --from-file=cert=$CERT_FILE
- Configure the
virtualhostsproperty in your overrides file:virtualhosts:- name:$ENVIRONMENT_GROUP_NAME tlsMode: SIMPLE # Note: SIMPLE is the default, so it is optional. sslSecret:$SECRET_NAMENote: See virtualhosts.namevirtualhosts.tlsModevirtualhosts.caCertPathvirtualhosts.sslCertPathvirtualhosts.sslKeyPath- Create two Kubernetes secrets the
apigeenamespace:kubectl create -nAPIGEE_NAMESPACE secret generic$SECRET_NAME \ --from-file=key=$KEY_FILE \ --from-file=cert=$CERT_FILE
- Create a secret for the CA:
kubectl create -nAPIGEE_NAMESPACE secret generic$SECRET_NAME-cacert \ --from-file=cacert=$CA_FILE
- Configure the
virtualhostsproperty in your overrides file:virtualhosts:- name:$ENVIRONMENT_GROUP_NAME tlsMode: MUTUAL # Note: Be sure to specify MUTUAL sslSecret:$SECRET_NAMENote: See
Configuring mTLS
Important: Public Certificate Authorities (CAs) are discontinuing the inclusion of theclientAuth Extended Key Usage (EKU) in latest publicly-trusted SSL/TLS certificates. This industry-wide change affects Apigee mutual TLS (mTLS) configurations inApigee platform. Apigee requires theclientAuth EKU to be present in client certificates for mTLS handshakes. Without this EKU, mTLS connections will fail for both northbound (client to Apigee) and southbound (Apigee to backend) traffic. For a detailed explanation of the issue, timelines, and recommended solutions, refer to thisblog post.
Instead of one-way TLS, you can configuremTLS on the ingress gateway. There are two options for configuring mTLS, as explained below.
Option 1: key/cert pair and CA file
Provide TLS certificate data containing Certificate Authority certificates:
virtualhosts:- name:$ENVIRONMENT_GROUP_NAME tlsMode: MUTUAL caCertPath: "$CA_FILE" sslCertPath: "$CERT_FILE" sslKeyPath: "$KEY_FILE"Where$ENVIRONMENT_GROUP_NAME is the name of an environment group with corresponding host aliases,$CA_FILE specifies TLS certificate data (CA bundle file) containing Certificate Authority certificates, and$CERT_FILE and$KEY_FILE are TLS key and certificate files. SeeCreate TLS certificates.
Option 2: Kubernetes Secrets
Create two Kubernetes Secrets. The first secret is for the SSL cert/key pair and the second is for the CA. Then, add them to your overrides file.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.