---
layout: docs
page_title: File system certificate configuration reference
description: Learn how to configure a file system certificate bound to an API Gateway on VMs.
---
# File system certificate configuration reference
This topic provides reference information for the file system certificate
configuration entry. The file system certificate is a more secure alternative to the [inline certificate configuration entry](/consul/docs/connect/config-entries/inline-certificate) when using Consul API Gateway on VMs because it references a local filepath instead of including sensitive information in the configuration entry itself. File system certificates also include a file system watch that implements certificate and key changes without restarting the gateway.
Consul on Kubernetes deployments that use `consul-k8s` Helm chart v1.5.0 or later use file system certificates without additional configuration. To learn about configuring certificates for Kubernetes environments, refer to [Gateway Resource Configuration](/consul/docs/connect/gateways/api-gateway/configuration/gateway).
## Configuration model
The following list outlines field hierarchy, language-specific data types, and
requirements in a `file-system-certificate` configuration entry. Click on a property name
to view additional details, including default values.
- [`Kind`](#kind): string | must be set to `"file-system-certificate"`
- [`Name`](#name): string | no default
- [`Namespace`](#namespace): string | no default
- [`Partition`](#partition): string | no default
- [`Meta`](#meta): map | no default
- [`Certificate`](#certificate): string | no default
- [`PrivateKey`](#privatekey): string | no default
## Complete configuration
When every field is defined, a `file-system-certificate` configuration entry has the following form:
```hcl
Kind = "file-system-certificate"
Name = ""
Namespace = "ns"
Partition = "default"
Meta = {
"" = ""
}
Certificate = ""
PrivateKey = ""
```
```json
{
"Kind": "file-system-certificate",
"Name": "",
"Namespace": "ns",
"Partition": "default",
"Meta": {
"key": "value"
},
"Certificate": "",
"PrivateKey": ""
}
```
## Specification
### `Kind`
Specifies the type of configuration entry to implement.
#### Values
- Default: None
- This field is required.
- Data type: string that must equal `"file-system-certificate"`
### `Name`
Specifies a name for the configuration entry. The name is metadata that you can
use to reference the configuration entry when performing Consul operations, such
as applying a configuration entry to a specific cluster.
#### Values
- Default: None
- This field is required.
- Data type: string
### `Namespace`
Specifies the Enterprise [namespace](/consul/docs/enterprise/namespaces) to apply to the configuration entry.
#### Values
- Default: `"default"` in Enterprise
- Data type: string
### `Partition`
Specifies the Enterprise [admin partition](/consul/docs/enterprise/admin-partitions) to apply to the configuration entry.
#### Values
- Default: `"default"` in Enterprise
- Data type: string
### `Meta`
Specifies an arbitrary set of key-value pairs to associate with the gateway.
#### Values
- Default: None
- Data type: map containing one or more keys and string values.
### `Certificate`
Specifies the path to a file that contains a public certificate to use for TLS. This filepath must be accessible to the API gateway proxy at runtime.
#### Values
- Default: none
- This field is required.
- Data type: string value of the filepath to a public certificate
### `PrivateKey`
Specifies the path to a file that contains a private key to use for TLS. This filepath must be accessible to the API gateway proxy at runtime.
#### Values
- Default: none
- This field is required.
- Data type: string value of the filepath to a private key
## Examples
The following example demonstrates a file system certificate configuration.
```hcl
Kind = "file-system-certificate"
Name = "tls-certificate"
Certificate = "/opt/consul/tls/api-gateway.crt"
PrivateKey = "/opt/consul/tls/api-gateway.key"
```
```json
{
"Kind": "file-system-certificate",
"Name": "tls-certificate",
"Certificate": "opt/consul/tls/api-gateway.crt",
"PrivateKey": "/opt/consul/tls/api-gateway.key"
}
```