TLS
The top-level tls block carries default TLS material — used by the external-controller-tls listener and by inbounds that opt to inherit a certificate from the global block rather than declaring their own.
Options
| Field | Type | Default | Allowed values | Description |
|---|---|---|---|---|
certificate | string | (unset) | <PEM file path> | <PEM literal> | Default TLS certificate used by inbounds that do not provide their own. Either a file path or an inline PEM block. |
private-key | string | (unset) | <key file path> | <key literal> | Private key matching `certificate`. |
client-auth-type | string | (none) | no-client-cert | request-client-cert | require-any-client-cert | verify-client-cert-if-given | require-and-verify-client-cert | Go-standard ClientAuth setting controlling whether clients must present a certificate to TLS-protected inbounds. |
client-auth-cert | string | (unset) | <PEM file path> | PEM bundle of CA certificates accepted as client roots. |
ech-key | string | (unset) | <ECH config / key> | ECH (Encrypted Client Hello) configuration material for inbounds that support ECH. |
custom-certifactes | []string | [] | <PEM file path> | Extra CA certificates added to the trust set used when verifying outbound peers. (Note the source spells this `certifactes`.) |
Source: config/config.go:384-391 · pinned at v1.19.27 (5184081)
Example
yaml
tls:
certificate: /etc/mihomo/server.crt
private-key: /etc/mihomo/server.key
client-auth-type: require-and-verify-client-cert
client-auth-cert: /etc/mihomo/clients-ca.crt
custom-certifactes:
- /etc/mihomo/extra-ca.crtNotes
- The source field name
custom-certifactesis misspelled (missing ani); we keep the spelling here to match the actual YAML key. - Inline
certificate/private-keyblocks use literal newlines — prefer file paths for anything that lives in version control.
Source: config/config.go:384-391 · v1.19.27 (5184081)