consul/website/content/docs/connect/gateways/api-gateway/secure-traffic/encrypt-vms.mdx

---
layout: docs
page_title: Encrypt API gateway traffic on virtual machines
description: Learn how to define inline certificate config entries and deploy them to Consul. Inline certificate configuration entries enable you to attach TLS certificates and keys to gateway listeners so that traffic between external clients and gateway listeners is encrypted.
---

# Encrypt API gateway traffic on virtual machines

This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted. 

## Requirements

- Consul 1.15 or later
- You must have a certificate and key from your CA   
- A Consul cluster with service mesh enabled. Refer to [`connect`](/consul/docs/agent/config/config-files#connect)
- Network connectivity between the machine deploying the API gateway and a
  Consul cluster agent or server

### ACL requirements

If ACLs are enabled, you must present a token with the following permissions to
configure Consul and deploy API gateways:

- `mesh: read`
- `mesh: write`

Refer [Mesh Rules](/consul/docs/security/acl/acl-rules#mesh-rules) for
additional information about configuring policies that enable you to interact
with Consul API gateway configurations.

## Define TLS certificates

1. Create an [`inline-certificate` configuration entry](/consul/docs/connect/gateways/api-gateway/configuration/inline-certificate) and specify the following fields:
   - `Kind`: Specifies the type of configuration entry. This must be set to `inline-certificate`.
   - `Name`: Specify the name in the [API gateway listener configuration](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway#listeners) to bind the certificate to that listener.  
   - `Certificate`: Specifies the inline public certificate to use for TLS as plain text.
   - `PrivateKey`: Specifies the inline private key to use for TLS as plain text.
1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the [`inline-certificate` configuration entry](/consul/docs/connect/gateways/api-gateway/configuration/inline-certificate) reference for additional information.
1. Save the configuration.

The following example defines a certificate named `my-certificate`. API gateway configurations that specify `inline-certificate` in the `Certificate.Kind` field and `my-certificate` in the `Certificate.Name` field are able to use the certificate.

```hcl
Kind = "inline-certificate"
Name = "my-certificate"

Certificate = <<EOF
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF

PrivateKey = <<EOF
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
EOF
```

## Deploy the configuration to Consul

Run the `consul config write` command to enable listeners to use the certificate. The following example writes a configuration called `my-certificate.hcl`:

```shell-session
$ consul config write my-certificate.hcl
```
Docs/api-gw-jwts-openshift-1-17-x (#19035) * update main apigw overview * moved the tech specs to main gw folder * merged tech specs into single topic * restructure nav part 1 * fix typo in nav json file * moved k8s install up one level * restructure nav part 2 * moved and created all listeners and routes content * moved errors ref and upgrades * fix error in upgrade-k8s link * moved conf refs to appropriate spots * updated conf overview * fixed some links and bad formatting * fixed link * added JWT on VMs usage page * added JWT conf to APIGW conf entry * added JWTs to HTTP route conf entry * added new gatwaypolicy k8s conf reference * added metadesc for gatewaypolicy conf ref * added http route auth filter k8s conf ref * added http route auth filter k8s conf ref to nav * updates to k8s route conf ref to include extensionRef * added JWTs usage page for k8s * fixed link in gwpolicy conf ref * added openshift installation info to installation pages * fixed bad link on tech specs * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * fixed VerityClaims param * best guess at verifyclaims params * tweaks to gateway policy dconf ref * Docs/ce 475 retries timeouts for apigw (#19086) * added timeout and retry conf ref for k8s * added retry and TO filters to HTTP routes conf ref for VMs * Apply suggestions from code review Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * fix copy/paste error in http route conf entry --------- Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> * update links across site and add redirects * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> * Applied feedback from review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> * Update CRD configuration for responseHeaderModifiers * Update Config Entry for http-route * Add ResponseFilter example to service * Update website/redirects.js errant curly brace breaking the preview * fix links and bad MD * fixed md formatting issues * fix formatting errors * fix formatting errors * Update website/content/docs/connect/gateways/api-gateway/secure-traffic/verify-jwts-k8s.mdx * Apply suggestions from code review * fixed typo * Fix headers in http-route * Apply suggestions from code review Co-authored-by: John Maguire <john.maguire@hashicorp.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> --------- Co-authored-by: Jeff Boruszak <104028618+boruszak@users.noreply.github.com> Co-authored-by: Nathan Coleman <nathan.coleman@hashicorp.com> Co-authored-by: sarahalsmiller <100602640+sarahalsmiller@users.noreply.github.com> Co-authored-by: Thomas Eckert <teckert@hashicorp.com> Co-authored-by: John Maguire <john.maguire@hashicorp.com> 2023-10-10 20:29:55 +00:00			`---`
			`layout: docs`
			`page_title: Encrypt API gateway traffic on virtual machines`
			`description: Learn how to define inline certificate config entries and deploy them to Consul. Inline certificate configuration entries enable you to attach TLS certificates and keys to gateway listeners so that traffic between external clients and gateway listeners is encrypted.`
			`---`

			`# Encrypt API gateway traffic on virtual machines`

			`This topic describes how to make TLS certificates available to API gateways so that requests between the user and the gateway endpoint are encrypted.`

			`## Requirements`

			`- Consul 1.15 or later`
			`- You must have a certificate and key from your CA`
			- A Consul cluster with service mesh enabled. Refer to [`connect`](/consul/docs/agent/config/config-files#connect)
			`- Network connectivity between the machine deploying the API gateway and a`
			`Consul cluster agent or server`

			`### ACL requirements`

			`If ACLs are enabled, you must present a token with the following permissions to`
			`configure Consul and deploy API gateways:`

			- `mesh: read`
			- `mesh: write`

			`Refer [Mesh Rules](/consul/docs/security/acl/acl-rules#mesh-rules) for`
			`additional information about configuring policies that enable you to interact`
			`with Consul API gateway configurations.`

			`## Define TLS certificates`

			1. Create an [`inline-certificate` configuration entry](/consul/docs/connect/gateways/api-gateway/configuration/inline-certificate) and specify the following fields:
			- `Kind`: Specifies the type of configuration entry. This must be set to `inline-certificate`.
			- `Name`: Specify the name in the [API gateway listener configuration](/consul/docs/connect/gateways/api-gateway/configuration/api-gateway#listeners) to bind the certificate to that listener.
			- `Certificate`: Specifies the inline public certificate to use for TLS as plain text.
			- `PrivateKey`: Specifies the inline private key to use for TLS as plain text.
			1. Configure any additional fields necessary for your use case, such as the namespace or admin partition. Refer to the [`inline-certificate` configuration entry](/consul/docs/connect/gateways/api-gateway/configuration/inline-certificate) reference for additional information.
			`1. Save the configuration.`

			The following example defines a certificate named `my-certificate`. API gateway configurations that specify `inline-certificate` in the `Certificate.Kind` field and `my-certificate` in the `Certificate.Name` field are able to use the certificate.

			```hcl
			`Kind = "inline-certificate"`
			`Name = "my-certificate"`

			`Certificate = <<EOF`
			`-----BEGIN CERTIFICATE-----`
			`...`
			`-----END CERTIFICATE-----`
			`EOF`

			`PrivateKey = <<EOF`
			`-----BEGIN RSA PRIVATE KEY-----`
			`...`
			`-----END RSA PRIVATE KEY-----`
			`EOF`
			```

			`## Deploy the configuration to Consul`

			Run the `consul config write` command to enable listeners to use the certificate. The following example writes a configuration called `my-certificate.hcl`:

			```shell-session
			`$ consul config write my-certificate.hcl`
			```