TLS trust bundles

Uses: Event Gateway Konnect API

What is a TLS trust bundle?

A TLS trust bundle is a collection of trusted CA certificates that Kong Event Gateway uses to verify client certificates during a mutual TLS (mTLS) handshake. When a TLS server policy is configured with client_authentication, it references one or more trust bundles to determine whether a client’s certificate is trusted.

Trust bundles can contain:

Literal PEM certificates: The CA certificate is stored directly. Literal values are encrypted at rest and omitted from API responses.
Vault or environment references: A template expression like ${env['MY_CA_CERT']} that is resolved at runtime by the data plane.

Trust bundles are evaluated in order. Verification stops at the first trust bundle that successfully validates the client certificate chain. If no trust bundle validates the certificate, the connection is closed when the client authentication mode is required.

Set up a TLS trust bundle

curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId} \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "my-ca-bundle",
      "description": "Internal CA for client verification",
      "config": {
        "trusted_ca": "'$CA_CERT'"
      }
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
virtualClusterId: The id of the Virtual Cluster.
eventGatewayId: The id of the Event Gateway.
eventGatewayListenerId: The id of the Event Gateway Listener.

See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.

TLS trust bundles

What is a TLS trust bundle?

Set up a TLS trust bundle

Schema

Help us make these docs great!

Still need help?