How Does ngrok Handle TLS Certificates?

ngrok automatically handles TLS (SSL) certificate management and termination for you out of the box, but you can also customize how termination works and use your own certificates.

You can manage TLS certificates with:

• The Dashboard
• The API.
• The terminate-tls Traffic Policy action

You can also specify the local path to a certificate file when starting a TLS endpoint with the Agent CLI.

How certificates work

TLS certificates are composed of a private key and a certificate. These are presented by the ngrok cloud service during TLS handshakes to terminate TLS connections to HTTPS endpoints and TLS endpoints.

Certificates with domains

TLS certificates are attached to domains for termination of TLS connections to endpoints whose URLs match that domain.

Wildcard domains

See the wildcard domains docs for more information about how TLS certificates are managed for wildcard domains.

Mutual TLS

Mutual TLS is supported when terminating TLS at ngrok's cloud service via the mutual_tls_certificate_authorities field of the terminate-tls traffic policy action.

You can also enable mutual TLS when terminating TLS at the agent via the mutual_tls_certificate_authorities property of the agent_tls_termination section of an endpoint configuration in the agent configuration file.

API

TLS certificates are managed programatically via:

• /tls_certificates API Resource

Pricing

TLS certificates are available on all plans. Bringing your own certificates is available on the Enterprise plan. See the pricing page for details.