The Application Load Balancer (ALB) Ingress controller supports automatic certificate discovery. ALB instances can discover certificates based on the domain name of Knative Services. This topic describes how to create a Transport Layer Security (TLS) certificate and use the certificate to configure access over HTTPS.


An ALB Ingress is configured in Knative. For more information, see Use ALB Ingresses in Knative.


You must create a TLS certificate, upload the certificate to the Certificate Management Service console, and then create a Knative Service that has TLS enabled. Then, the related ALB instance can automatically discover the TLS certificate based on the domain name of the Knative Service. Perform the following steps:

  1. Run the following openssl commands to create a certificate:
    openssl genrsa -out albtop-key.pem 4096
    openssl req -subj "/" -sha256  -new -key albtop-key.pem -out albtop.csr
    echo subjectAltName = > extfile.cnf
    openssl x509 -req -days 3650 -sha256 -in albtop.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out albtop-cert.pem -extfile extfile.cnf
  2. Upload the certificate that you created to the Certificate Management Service console. For more information, see Upload a certificate.
  3. Create a Knative Service that has TLS enabled with the following YAML template.
    Set knative.k8s.alibabacloud/tls to true to enable access over HTTPS.
    kind: Service
      name: helloworld
      namespace: default
        knative.k8s.alibabacloud/tls: "true" 
          - image:
            - name: TARGET
              value: "Knative"
  4. Run the following command to access the Knative Service over HTTPS:
    curl -H "host:" -k
    Expected output:
    Hello Knative!
    The output shows that the Knative Service can be accessed over HTTPS.