TLS/SSL Configuration for AI Traffic

All traffic between applications, the Keeptrusts gateway, control-plane API, and upstream LLM providers should be encrypted in transit. This guide covers certificate provisioning, mTLS between internal components, HTTPS termination strategies, and automated certificate rotation.

Use this page when

You need to configure TLS for traffic between applications and the Keeptrusts gateway.
You are setting up mTLS (mutual TLS) between the gateway and the control-plane API.
You need automated certificate rotation with Let's Encrypt or internal CA.
You want to verify all traffic segments are encrypted and no plaintext listeners exist on public interfaces.

Primary audience

Primary: Technical Engineers
Secondary: AI Agents, Technical Leaders

Certificate Architecture

Traffic Encryption Points

Application ──[TLS]──▶ Gateway ──[TLS]──▶ LLM Provider
                          │
                       [mTLS]
                          │
                          ▼
                     API Server ──[TLS]──▶ PostgreSQL

Each segment requires its own certificate configuration:

Segment	Certificate Type	Managed By
Client → Gateway	Server TLS	Gateway host or reverse proxy
Gateway → API	mTLS (mutual)	Both gateway and API
Gateway → LLM provider	Server TLS	Provider (public CA)
API → PostgreSQL	Server TLS	Database server
Browser → Console	Server TLS	Console host or reverse proxy

Gateway TLS Configuration

Direct TLS Termination

Configure the gateway to terminate TLS directly:

# Run gateway with TLS
kt gateway run \
  --config policy-config.yaml \
  --tls-cert /etc/keeptrusts/certs/gateway.crt \
  --tls-key /etc/keeptrusts/certs/gateway.key \
  --port 443

Environment Variable Configuration

export KEEPTRUSTS_TLS_CERT_PATH=/etc/keeptrusts/certs/gateway.crt
export KEEPTRUSTS_TLS_KEY_PATH=/etc/keeptrusts/certs/gateway.key
kt gateway run --policy-config policy-config.yaml

Certificate Requirements

Minimum RSA 2048-bit or ECDSA P-256
Subject Alternative Name (SAN) must include the gateway hostname
Chain must include intermediate certificates
PEM format for both certificate and key

# Verify certificate details
openssl x509 -in /etc/keeptrusts/certs/gateway.crt -text -noout | \
  grep -E "Subject:|Issuer:|Not After|DNS:"

# Verify key matches certificate
openssl x509 -noout -modulus -in gateway.crt | openssl md5
openssl rsa -noout -modulus -in gateway.key | openssl md5

Mutual TLS (mTLS)

Gateway-to-API mTLS

Enforce mutual authentication between the gateway and the control-plane API:

# Generate CA for internal services
openssl genrsa -out ca.key 4096
openssl req -new -x509 -key ca.key -sha256 -days 1095 \
  -out ca.crt -subj "/CN=Keeptrusts Internal CA"

# Generate gateway client certificate
openssl genrsa -out gateway-client.key 2048
openssl req -new -key gateway-client.key \
  -out gateway-client.csr -subj "/CN=keeptrusts-gateway"
openssl x509 -req -in gateway-client.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out gateway-client.crt -days 365 -sha256

# Generate API server certificate
openssl genrsa -out api-server.key 2048
openssl req -new -key api-server.key \
  -out api-server.csr -subj "/CN=keeptrusts-api"
openssl x509 -req -in api-server.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out api-server.crt -days 365 -sha256

Configure Gateway as mTLS Client

export KEEPTRUSTS_API_CLIENT_CERT=/etc/keeptrusts/certs/gateway-client.crt
export KEEPTRUSTS_API_CLIENT_KEY=/etc/keeptrusts/certs/gateway-client.key
export KEEPTRUSTS_API_CA_CERT=/etc/keeptrusts/certs/ca.crt
kt gateway run --policy-config policy-config.yaml

Verify mTLS Connection

# Test mTLS handshake
openssl s_client -connect api.internal:8080 \
  -cert gateway-client.crt -key gateway-client.key \
  -CAfile ca.crt -verify_return_error

HTTPS Termination Strategies

Strategy 1: Reverse Proxy Termination (Recommended)

Terminate TLS at nginx or a cloud load balancer and forward plain HTTP to the gateway:

server {
    listen 443 ssl http2;
    server_name gateway.example.com;

    ssl_certificate     /etc/letsencrypt/live/gateway.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/gateway.example.com/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    # HSTS header
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

    location / {
        proxy_pass http://127.0.0.1:41002;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }
}

Strategy 2: End-to-End Encryption

For environments requiring encryption on every hop:

Client ──[TLS]──▶ LB ──[TLS]──▶ Gateway ──[mTLS]──▶ API

Configure the load balancer for TLS passthrough or re-encryption.

Strategy 3: Service Mesh TLS

In Kubernetes with Istio or Linkerd, the sidecar proxy handles mTLS automatically:

# Istio PeerAuthentication
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: keeptrusts-strict
  namespace: keeptrusts
spec:
  mtls:
    mode: STRICT

Certificate Rotation

Automated Rotation with Let's Encrypt

# Install certbot
apt-get install -y certbot

# Obtain certificate
certbot certonly --standalone -d gateway.example.com \
  --non-interactive --agree-tos -m admin@example.com

# Auto-renew cron (certbot creates this by default)
# /etc/cron.d/certbot
0 12 * * * root certbot renew --quiet --post-hook "systemctl reload nginx"

Rotation with systemd Timer

# /etc/systemd/system/keeptrusts-cert-rotate.timer
[Unit]
Description=Rotate Keeptrusts TLS certificates

[Timer]
OnCalendar=weekly
Persistent=true

[Install]
WantedBy=timers.target

# /etc/systemd/system/keeptrusts-cert-rotate.service
[Unit]
Description=Rotate Keeptrusts TLS certificates

[Service]
Type=oneshot
ExecStart=/usr/local/bin/rotate-keeptrusts-certs.sh

Monitoring Certificate Expiry

#!/usr/bin/env bash
# check-cert-expiry.sh — alert if certificate expires within 14 days
set -euo pipefail

CERT_PATH="/etc/keeptrusts/certs/gateway.crt"
DAYS_THRESHOLD=14

expiry_date=$(openssl x509 -enddate -noout -in "$CERT_PATH" | cut -d= -f2)
expiry_epoch=$(date -d "$expiry_date" +%s)
now_epoch=$(date +%s)
days_remaining=$(( (expiry_epoch - now_epoch) / 86400 ))

if [[ $days_remaining -lt $DAYS_THRESHOLD ]]; then
  echo "WARNING: Certificate expires in $days_remaining days" >&2
  exit 1
fi

echo "Certificate OK — $days_remaining days remaining"

PostgreSQL TLS

Enable SSL on PostgreSQL

# postgresql.conf
ssl = on
ssl_cert_file = '/var/lib/postgresql/server.crt'
ssl_key_file = '/var/lib/postgresql/server.key'
ssl_ca_file = '/var/lib/postgresql/ca.crt'

API Connection with TLS

export DATABASE_URL="postgres://keeptrusts:password@db.internal:5432/keeptrusts?sslmode=verify-full&sslrootcert=/etc/keeptrusts/certs/ca.crt"

Verification Checklist

# 1. Verify gateway TLS
curl -v https://gateway.example.com:443/health 2>&1 | grep "SSL connection"

# 2. Verify mTLS between gateway and API
openssl s_client -connect api.internal:8080 \
  -cert /etc/keeptrusts/certs/gateway-client.crt \
  -key /etc/keeptrusts/certs/gateway-client.key

# 3. Verify PostgreSQL TLS
psql "host=db.internal dbname=keeptrusts sslmode=verify-full sslrootcert=ca.crt" \
  -c "SELECT ssl_is_used();"

# 4. Verify no plaintext listeners on public interfaces
ss -tlnp | grep -E '41002|8080' | grep '0.0.0.0'

Next steps

Load Balancing — TLS termination at the load balancer layer
Security Hardening — additional security controls beyond TLS
Network Configuration — port and firewall setup

For AI systems

Canonical terms: Keeptrusts TLS configuration, mTLS, certificate rotation, HTTPS termination, Let's Encrypt, gateway TLS, PostgreSQL SSL, certificate authority.
Key config/commands: kt gateway run --tls-cert gateway.crt --tls-key gateway.key --port 443; mTLS with client certificates between gateway and API; sslmode=verify-full for PostgreSQL; certbot for Let's Encrypt automation; openssl s_client for verification.
Best next pages: Load Balancing, Security Hardening, Network Configuration.

For engineers

Prerequisites: Certificate files (server cert + key for gateway, client cert for mTLS, CA cert for verification); DNS records pointing to gateway/API hosts.
Configure four encryption segments: client → gateway (server TLS), gateway → API (mTLS), gateway → LLM provider (public CA), API → PostgreSQL (server TLS).
Validate with: curl -v https://gateway.example.com:443/health 2>&1 | grep "SSL connection"; openssl s_client -connect api.internal:8080 -cert gateway-client.crt; psql "sslmode=verify-full" -c "SELECT ssl_is_used();".
Verify no plaintext listeners on public interfaces: ss -tlnp | grep -E '41002|8080' | grep '0.0.0.0' should return nothing.

For leaders

All AI prompts and responses transit the network — unencrypted traffic exposes sensitive data to interception.
mTLS between gateway and API provides mutual authentication, preventing rogue gateways from injecting events.
Automated certificate rotation (Let's Encrypt or internal CA) eliminates certificate expiry outages.
Compliance frameworks (SOC 2, ISO 27001, PCI-DSS) require encryption in transit for all sensitive data.

Use this page when​

Primary audience​

Certificate Architecture​

Traffic Encryption Points​

Gateway TLS Configuration​

Direct TLS Termination​

Environment Variable Configuration​

Certificate Requirements​

Mutual TLS (mTLS)​

Gateway-to-API mTLS​

Configure Gateway as mTLS Client​

Verify mTLS Connection​

HTTPS Termination Strategies​

Strategy 1: Reverse Proxy Termination (Recommended)​

Strategy 2: End-to-End Encryption​

Strategy 3: Service Mesh TLS​

Certificate Rotation​

Automated Rotation with Let's Encrypt​

Rotation with systemd Timer​

Monitoring Certificate Expiry​

PostgreSQL TLS​

Enable SSL on PostgreSQL​

API Connection with TLS​

Verification Checklist​

Next steps​

For AI systems​

For engineers​

For leaders​