Kong proxy and admin listen SSL : multiple certs

jgrammen-agilitypr · January 28, 2022, 3:48pm

Hello,

I am trying to deploy multiple independent certificates and have kong load all of them and use them all to provide ssl into incoming traffic.
I have a configuration as follows:

ssl_cert = /path/to/cert1.pem,/path/to/cert2.pem
ssl_cert_key = /path/to/cert1.key,/path/to/cert2.key
admin_ssl_cert = /path/to/cert1.pem,/path/to/cert2.pem
admin_ssl_cert_key = /path/to/cert1.key,/path/to/cert2.key

Now it appears that kong does actually load the certificates.

but when attempting to access kong via urls that match each certificate
url that matches cert2

url that matches cert1

Does kong not support loading multiple different certificates?
Do i need to make a combined cert first?

I did verify that when loading only cert1, everything is fine. When loading only cert2 everything is fine. The problem only occurs when both certs are loaded

jgrammen-agilitypr · January 28, 2022, 6:01pm

I have now tried using a combined certificate and a combined key with the same results

kong oss version 2.3.3

cat cert1.pem cert2.pem > combined_cert.pem
cat cert1.key cert2.key > combined_key.key

I would hope that Kong could host multiple domains and their ssl, but it doesn’t appear to be working (or more likely i am doing something wrong)

jgrammen-agilitypr · March 24, 2022, 5:41pm

So, does anyone know how to get Kong to host more than one domain each with their own ssl / tls certificate?
As in if you have two domains: abc.com and def.com, and they each have an ssl certificate. How do you get kong to load both certificates and serve the appropriate certificate to requests for each of those domains.

jgrammen-agilitypr · March 25, 2022, 6:11pm

Someone else has had the same question:

I have also recently tried with

but am either not using those objects correctly/configuring them incorrect, or they don’t have anything to do with ssl at the kong level

jgrammen-agilitypr · May 3, 2022, 11:10am

This has been solved.
You can only have a single certificate, and it must cover all the domains (at least for the ssl_cert and admin_ssl_cert).
If you are trying to provide ssl for upstreams or other services that kong is proxying you can use the certificates endpoint along with the sni’s endpoint to setup ssl for those.

But if you are trying to provide ssl for the whole of kong, only a single cert is possible.

Ivyna · October 14, 2025, 12:56pm

Kong doesn’t support loading multiple certificates directly for the proxy or admin SSL listeners (via ssl_cert and admin_ssl_cert). You can only specify one cert/key pair, and that certificate must cover all required domains (e.g. using SAN or a wildcard). If you’re trying to handle SSL for multiple services or upstreams, you can instead use the certificates and snis endpoints to configure those separately. But for Kong’s own SSL (like the admin and proxy interface), a single cert is the only option. Hope it helps!

Topic		Replies	Views
SSL offloading at Kong level Questions plugins	8	4580	October 25, 2021
Ssl configuration with kong fo proxy Questions	1	739	October 7, 2019
Configure SSL for both port 8444 and 8445 Questions	1	417	July 4, 2023
Lua_ssl_trusted_certificate \| specifying multiple certs Questions	0	642	August 14, 2020
SSL certificate for API requests or /oauth2/token endpoint kubernetes , kong-gateway	2	699	October 11, 2022

Kong proxy and admin listen SSL : multiple certs

Related topics