TykTechnologies · dcs3spp · Aug 29, 2024 · Mar 20, 2024 · Aug 21, 2024 · Aug 22, 2024
diff --git a/config/config.go b/config/config.go
@@ -518,7 +518,10 @@ type CoProcessConfig struct {
 
 type CertificatesConfig struct {
 	API []string `json:"apis"`
-	// Specify upstream mutual TLS certificates at a global level in the following format: `{ "<host>": "<cert>" }``
+	// Upstream is used to specify the certificates to be used in mutual TLS connections to upstream services. These are set at gateway level as a map of domain -> certificate id or path.
+	// For example if you want Tyk to use the certificate `ab23ef123` for requests to the `example.com` upstream and `/certs/default.pem` for all other upstreams then:
+	// In `tyk.conf` you would configure `"security": {"certificates": {"upstream": {"*": "/certs/default.pem", "example.com": "ab23ef123"}}}`
+	// And if using environment variables you would set this to `*:/certs/default.pem,example.com:ab23ef123`.
 	Upstream map[string]string `json:"upstream"`
 	// Certificates used for Control API Mutual TLS
 	ControlAPI []string `json:"control_api"`