Skip to main content

Auto TLS


Auto TLS enables automatic TLS between Pomerium Core and Enterprise by deriving the certificate authority (CA) and server certificates from a shared_secret.

Auto TLS secures HTTPS and gRPC/TLS endpoints connecting the Console to the Databroker and Proxy services so you don’t have to manually generate certificates (it’s still an option for users who demand it).

How to configure

Config file keysEnvironment variablesTypeUsageDefault
tls_deriveTLS_DERIVEFQDL (fully qualified domain name)optionalnone



When you set tls_derive:

  • A CA is derived from the shared_secret and is added to the list of system default CAs
  • An upstream route (to) server certificate signed by such a derived CA would be trusted
  • The Databroker gRPC server would use a server certificate with a provided domain name and signed by a derived CA