To configure TLS (HTTPS) for Ory Keto, you need to provide TLS certificates and keys to the Keto server. While the knowledge sources do not provide a detailed, step-by-step guide specifically for Ory Keto, the general approach for Ory services (including Hydra and Kratos) is to generate or obtain TLS certificates and then configure the service to use them. Here’s a general outline based on Ory’s documentation for similar products: 1. Generate TLS Certificates You can generate self-signed certificates using OpenSSL:

openssl genrsa -out key.pem 4096    openssl req -new -x509 -sha256 -key key.pem -out cert.crt -days 365

2. Provide Certificates to Ory Keto While the exact environment variables or configuration keys for Keto are not explicitly listed in the knowledge sources, Ory services typically allow you to provide certificate and key files via environment variables or configuration file paths. For example, with Ory Hydra and Kratos, you can use variables like

SERVE_TLS_CERT_PATH

and

SERVE_TLS_KEY_PATH

or their base64 equivalents. For Docker, you would mount the files and set the environment variables accordingly:

docker run ... \      -e SERVE_TLS_CERT_PATH=/path/to/cert.crt \      -e SERVE_TLS_KEY_PATH=/path/to/key.pem \      ...

3. Reference Configuration The Keto CLI documentation mentions that all configuration can be set via environment variables or a config file, and refers to the [configuration reference](https://www.ory.sh/docs/keto/reference/configuration/) for details. However, the specific keys for TLS are not detailed in the provided sources. You should consult the latest [Keto configuration reference](https://www.ory.sh/docs/keto/reference/configuration/) for the exact keys. 4. Run Keto with the Config Start Keto with your configuration file or environment variables:

keto serve --config /path/to/config.yaml

Note: - TLS is not enabled by default. You must explicitly configure it. - It is common practice to terminate TLS at a gateway or load balancer in production, rather than directly on Keto, as recommended in the production guide. This means you might not need to enable TLS on Keto itself if you use a reverse proxy or API gateway in front of it [Prepare for production](https://www.ory.sh/docs/keto/guides/production/). Summary: - Generate or obtain TLS certificates. - Configure Keto to use them via environment variables or config file (consult the [Keto configuration reference](https://www.ory.sh/docs/keto/reference/configuration/) for exact keys). - Consider terminating TLS at a gateway or load balancer for production deployments. I'm sorry, but the knowledge sources do not provide the exact configuration keys for enabling TLS in Ory Keto. Please refer to the official [Keto configuration reference](https://www.ory.sh/docs/keto/reference/configuration/) for the most up-to-date and detailed information.

If you are able to access Ory Keto over HTTP but not HTTPS, it likely means that TLS (HTTPS) is not enabled or not correctly configured for your Keto instance. Based on the knowledge sources, here are some important points: - TLS is not enabled by default in Ory Keto. You must explicitly configure it in your Keto configuration. - The knowledge sources do not provide the exact configuration keys or environment variables for enabling TLS in Ory Keto. They do, however, recommend not exposing Keto directly to the public internet and instead running it behind an API gateway or load balancer, where TLS is typically terminated. This means that, in production, you might not need to enable TLS on Keto itself if you use a reverse proxy or gateway that handles HTTPS traffic and forwards requests to Keto over HTTP internally [Prepare for production](https://www.ory.sh/docs/keto/guides/production/). What you can do: - Double-check your Keto configuration and ensure you are following the [official configuration reference](https://www.ory.sh/docs/keto/reference/configuration/) for enabling TLS, as the exact keys are not specified in the provided knowledge sources. - If you are running Keto behind a gateway or load balancer, make sure TLS is configured there, and access Keto through the gateway’s HTTPS endpoint. - If you want Keto itself to serve HTTPS, you must provide the correct certificate and key files and ensure the configuration points to them. If you do not see HTTPS working, it is likely that this step is missing or misconfigured. Summary: The knowledge sources do not provide the exact steps or configuration keys for enabling HTTPS directly on Ory Keto. Please consult the [Keto configuration reference](https://www.ory.sh/docs/keto/reference/configuration/) for the most accurate and up-to-date information. If you are running behind a gateway, configure TLS there instead. If you need further help, please provide your Keto configuration and deployment details.