Supported configurations
TLS can be configured for two different communication paths:- Client to Load Balancer (TLS): Standard TLS termination using
TERMINATED_HTTPSprotocol. The Load Balancer presents a server certificate to clients. - Load Balancer to backend servers (mTLS): Mutual TLS where both the Load Balancer and backend servers exchange and verify certificates.
mTLS between clients and the Load Balancer is not supported. For client-facing connections, use standard TLS with the
TERMINATED_HTTPS protocol.Certificate parameters
Each path uses different certificate parameters stored via different API endpoints. Listener certificates use/v2/secrets, which supports PKCS12 binary format; pool CA certificates and CRLs use /v1/secrets for PEM text format. The split is intentional — the endpoints store different certificate formats.
| Parameter | Applies to | Purpose | Endpoint | Format |
|---|---|---|---|---|
secret_id | Listener | Server certificate presented to clients | /v2/secrets | PKCS12 |
sni_secret_id | Listener | Additional SNI certificates for multi-domain support | /v2/secrets | PKCS12 |
secret_id | Pool | Client certificate the Load Balancer presents to backends | /v2/secrets | PKCS12 or PEM |
ca_secret_id | Pool | CA certificate for verifying backend server certificates | /v1/secrets | PEM |
crl_secret_id | Pool | Certificate revocation list | /v1/secrets | PEM |
TLS termination
The steps below configure a new load balancer with aTERMINATED_HTTPS listener.
Step 1. Create server certificate secret
Create a PKCS12 certificate bundle using the/v2/secrets endpoint:
Step 2. Create listener with TLS termination
Create a load balancer with aTERMINATED_HTTPS listener referencing the server certificate:
mTLS for backend connections
The steps below create the certificate secrets and a pool with mTLS parameters for an existing load balancer.Step 1. Create CA certificate secret
Create a PEM CA certificate using the/v1/secrets endpoint:
Step 2. (Optional) Create Load Balancer client certificate
If backend servers require client authentication, create a certificate that the Load Balancer presents to backends:Step 3. Create pool with mTLS configuration
Create a pool withHTTPS protocol and mTLS parameters:
ca_secret_id parameter enables the Load Balancer to verify backend server certificates. The secret_id parameter provides the client certificate for mutual authentication.
mTLS on an existing load balancer
An existing pool’s mTLS configuration can be updated without recreating the load balancer. Create the required CA certificate viaPOST /v1/secrets and, if needed, the client certificate via POST /v2/secrets, then send a PATCH request with the certificate secret IDs:
Each API call returns a
task_id. Wait for task completion before proceeding to the next step.