TLS Settings
Transport Layer Security (TLS) on Gateway
Configuring TLS
Akeyless Gateway should always be used with TLS to ensure all traffic is encrypted in transit.
If you are working with Load Balancers or reverse proxies in front of your Gateway, TLS should be used for all network connections.
Note:The use of the HTTP protocol is considered insecure and discouraged; thus, remote Gateway configuration is not supported over HTTP. If you wish to configure your Gateway remotely, make sure you do it over HTTPS.
To configure TLS, on your Gateway Configuration Manager under the General tab:
-
Select the cloud icon next to TLS Certificate
-
Upload a TLS Certificate and provide a TLS Private Key in a PEM format and Save.
TLS 1.3 and PQC
To enable hybrid post-quantum key exchange on the Gateway, configure the deployment to use TLS 1.3 and the Go runtime flag GODEBUG=tlsmlkem=1.
For deployment-specific steps, see:
After deployment, verify that the browser connection details show X25519MLKEM768, which confirms a hybrid key exchange (X25519 + MLKEM-768).
Updating a TLS Certificate
Updating a TLS certificate can be accessed through the CLI by using the following command:
akeyless gateway-update-tls-cert \
--cert-data <TLS Certificate (base64-encoded)> \
--key-data <TLS Private Key (base64-encoded)> \
--gateway-url 'https://<Your-Akeyless-GW-URL>:8000'This command requires both a TLS certificate and a matching TLS private key.
The command's full parameters are:
cert-data: TLS Certificate (Base64-encoded), this flag is ignored ifcert-file-nameis supplied.cert-file-name: Path to the file containing the TLS Certificate, this flag is ignored ifcert-datais suppliedkey-data: TLS Private Key (Base64-encoded), this flag is ignored ifkey-file-nameis suppliedkey-file-name: Path to the file containing the TLS Private Key, this flag is ignored ifkey-datais suppliedgateway-url[=http://localhost:8000]: Akeyless Gateway URL (Configuration Management port).
Updated 6 days ago