As an application operator, you can upload transport layer security (TLS) certificates to Tanzu Services Mesh to enable different use cases that require encryption of traffic using TLS, such as public services. You can manage certificates on the Keys & Certificates page.

This procedure describes how to add a new certificate to Tanzu Service Mesh.


Verify the following prerequisites:

  • You have a certificate and a private key from a trusted certificate authority (CA) and know the location of the certificate and private key files. The certificate file must be in PEM (.pem) format. The private key file must be in PEM or KEY (.key) format.

  • Users in your organization can configure a public service to be accessible at an HTTPS URL and select a certificate in the public service configuration to encrypt HTTPS traffic to the service. To ensure that the certificate works correctly, verify that it matches the domain specified for the public service. For more information about public services, see Create a Public Service.

  • You are in the Tanzu Service Mesh Console. For information about accessing the Tanzu Service Mesh Console, see Access the Tanzu Service Mesh Console.


  1. In the navigation pane on the left, click Tanzu Admin > Keys & Certificates.
  2. On the Keys & Certificates page, above the table, click New Certificate.
  3. In the New Certificate dialog box, provide the following information.
    • Name. The name of the certificate to help distinguish it from other certificates in Tanzu Service Mesh. The name can contain only alphanumeric characters and underscores (_) and cannot contain numbers and special characters, such as ampersands (&) and pound signs (#). It must contain a minimum of 2 characters and a maximum of 1,024 characters.

    • (Optional) Description. An optional description of the certificate.

    • Certificate File. Click Select .PEM File and browse to the certificate file that you want to upload.

    • Private Key. Click Select .PEM /.KEY File and browse to the private key file.

    • (Optional) Certificate Chain. Optionally upload the CA certificate chain file.


    Certificate Type specifies the type of certificate. Currently, only user-defined certificates are available.

  4. Click Save.


The new certificate is added to the table on the Keys & Certificates page. To edit or delete the certificate, click the three vertical dots to the left of the certificate name in the table and click Edit or Delete on the menu. The table on the Keys & Certificates page displays details about the certificate, including the following details:

  • The name of the certificate

  • The date and time when the certificate becomes valid

  • The date and time when the certificate expires

  • Details of the certificate issuer (common name, organization, and organizational unit if specified)

  • The organization to which the certificate was issued

  • The certificate authority (CA) that issued the certificate

  • The certificate serial number


If some of the details about the certificate are not visible in the table, in the upper-right of the table, click Column Settings and select the check box next to each column that you want to show in the table.

The certificate is available for selection in public service configurations that specify HTTPS. If a user selects the certificate for a public service, Tanzu Service Mesh will attach the certificate to the domain of the public service to encrypt traffic to the service.