Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to set up Knative serving to use your own
SSL/TLS certificate, for those cases where you don't want to use the
managed TLS certificates feature.
Istio Ingress Gateway can support the TLS protocol provided from your
certificate after you store your certificate into a Kubernetes Secret and
specify it in the Istio Ingress Gateway spec.
Before you begin
These instructions assume that you already have your own TLS certificates.
Storing TLS certificate/private key into a Kubernetes Secret
To store the certificates into a Secret:
Copy the certificates into your current directory.
Use the following command to create a Secret that stores the certificates,
where privkey.pem contains your certificate private key and
fullchain.pem contains the public certificate:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide details the process of configuring Knative serving to utilize custom SSL/TLS certificates instead of managed TLS certificates.\u003c/p\u003e\n"],["\u003cp\u003eYou can store your TLS certificate and private key within a Kubernetes Secret using the provided \u003ccode\u003ekubectl\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eThe Istio Ingress Gateway spec needs to be modified to reference the created Kubernetes Secret containing the TLS certificate, enabling HTTPS protocol support.\u003c/p\u003e\n"],["\u003cp\u003eMultiple TLS certificates for different services in separate namespaces can be defined within a single gateway specification.\u003c/p\u003e\n"]]],[],null,["# Using your own TLS certificates\n\nThis page describes how to set up Knative serving to use your own\nSSL/TLS certificate, for those cases where you don't want to use the\n[managed TLS certificates](/anthos/run/archive/docs/managed-tls) feature.\n\nIstio Ingress Gateway can support the TLS protocol provided from your\ncertificate after you store your certificate into a Kubernetes Secret and\nspecify it in the Istio Ingress Gateway spec.\n\nBefore you begin\n----------------\n\nThese instructions assume that you already have your own TLS certificates.\n\nStoring TLS certificate/private key into a Kubernetes Secret\n------------------------------------------------------------\n\nTo store the certificates into a Secret:\n\n1. Copy the certificates into your current directory.\n\n2. Use the following command to create a Secret that stores the certificates,\n where `privkey.pem` contains your certificate private key and\n `fullchain.pem` contains the public certificate:\n\n ```bash\n kubectl create --namespace gke-system secret tls SECRET_NAME \\\n --key privkey.pem \\\n --cert fullchain.pem\n ```\n\nSpecifying your TLS certificate to Istio Ingress Gateway\n--------------------------------------------------------\n\nModify the Istio Ingress Gateway spec to use the Kubernetes Secret containing\nyour TLS certificate:\n\n1. Open the shared gateway spec for editing:\n\n ```\n kubectl edit gateway gke-system-gateway --namespace knative-serving\n ```\n2. Specify your TLS certificate using the secret you created earlier, by adding\n the following section to your gateway spec:\n\n - hosts:\n - \"*\"\n port:\n name: https\n number: 443\n protocol: HTTPS\n tls:\n mode: SIMPLE\n credentialName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSECRET_NAME\u003c/span\u003e\u003c/var\u003e\n\n Your gateway spec should look like the following: \n\n apiVersion: networking.istio.io/v1alpha3\n kind: Gateway\n metadata:\n # ... skipped ...\n spec:\n selector:\n istio: ingressgateway\n servers:\n - hosts:\n - \"*\"\n port:\n name: http\n number: 80\n protocol: HTTP\n - hosts:\n - \"*\"\n port:\n name: https\n number: 443\n protocol: HTTPS\n tls:\n mode: SIMPLE\n credentialName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSECRET_NAME\u003c/span\u003e\u003c/var\u003e\n\n If you're adding multiple TLS certificates for two different services in\n different namespaces, your gateway spec could look like: \n\n apiVersion: networking.istio.io/v1alpha3\n kind: Gateway\n metadata:\n # ... skipped ...\n spec:\n selector:\n istio: ingressgateway\n servers:\n - hosts:\n - \"*\"\n port:\n name: http\n number: 80\n protocol: HTTP\n - port:\n number: 443\n name: https-\u003cvar translate=\"no\"\u003eSERVICE1_NAME\u003c/var\u003e\n protocol: HTTPS\n tls:\n mode: SIMPLE\n credentialName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSECRET1_NAME\u003c/span\u003e\u003c/var\u003e\n hosts:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSERVICE1_NAME\u003c/span\u003e\u003c/var\u003e.\u003cvar translate=\"no\"\u003eNAMESPACE1\u003c/var\u003e.example.com\n - port:\n number: 443\n name: https-\u003cvar translate=\"no\"\u003eSERVICE2_NAME\u003c/var\u003e\n protocol: HTTPS\n tls:\n mode: SIMPLE\n credentialName: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSECRET2_NAME\u003c/span\u003e\u003c/var\u003e\n hosts:\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSERVICE2_NAME\u003c/span\u003e\u003c/var\u003e.\u003cvar translate=\"no\"\u003eNAMESPACE2\u003c/var\u003e.example.com\n\n3. Save your changes.\n\nAfter this change, you can use the HTTPS protocol to access your deployed\nservices."]]
