Documentation

TLS Settings

Important:

For ongoing Gateway configuration changes, always use the Gateway Configuration Manager, Akeyless CLI, or Helm values (for Kubernetes) to manage settings for the entire Gateway cluster.

Never configure only a single Gateway instance in a cluster. All instances in a cluster must be managed together using the supported tools above. Configuring only one instance, or making changes to individual containers or pods, will result in configuration drift, inconsistent behavior, and potential security or availability risks.

Avoid per-instance container startup command changes for routine updates. These should only be used for initial bootstrap or emergency recovery, not for ongoing management.

Configuring TLS

Akeyless Gateway should always be used with TLS to ensure all traffic is encrypted in transit.

If you are working with Load Balancers or reverse proxies in front of your Gateway, TLS should be used for all network connections.

ℹ️

Note:

The use of the HTTP protocol is considered insecure and discouraged; thus, remote Gateway configuration is not supported over HTTP. If you wish to configure your Gateway remotely, make sure you do it over HTTPS.

To configure TLS, on your Gateway Configuration Manager under the General tab:

  1. Select the cloud icon next to TLS Certificate

  2. Upload a TLS Certificate and provide a TLS Private Key in a PEM format and Save.

Example CLI command to update the TLS certificate on an existing Gateway:

akeyless gateway-update-tls-cert \
--cert-data <TLS Certificate (base64-encoded)> \
--key-data <TLS Private Key (base64-encoded)> \
--gateway-url 'https://<Your-Akeyless-GW-URL>:8000'

TLS 1.3 and PQC

For Akeyless SaaS endpoints, hybrid post-quantum key exchange is enabled by default over TLS 1.3.

For Akeyless Gateway endpoints, hybrid post-quantum key exchange is enabled when the Gateway is configured to use TLS 1.3.

For deployment-specific steps, see:

After deployment, verify that the browser connection details show X25519MLKEM768, which confirms a hybrid key exchange (X25519 + ML-KEM 768).

Updating a TLS Certificate

Updating a TLS certificate can be accessed through the CLI by using the following command:

akeyless gateway-update-tls-cert \
--cert-data <TLS Certificate (base64-encoded)> \
--key-data <TLS Private Key (base64-encoded)> \
--gateway-url 'https://<Your-Akeyless-GW-URL>:8000'

This command requires both a TLS certificate and a matching TLS private key.

The command's full parameters are:

  • cert-data: TLS Certificate (Base64-encoded), this flag is ignored if cert-file-name is supplied.
  • cert-file-name: Path to the file containing the TLS Certificate, this flag is ignored if cert-data is supplied
  • key-data: TLS Private Key (Base64-encoded), this flag is ignored if key-file-name is supplied
  • key-file-name: Path to the file containing the TLS Private Key, this flag is ignored if key-data is supplied
  • gateway-url[=http://localhost:8000]: Akeyless Gateway URL (Configuration Management port).

Updated 12 days ago

What’s Next
Footer Section