# Configure HTTPS termination Type of document: How-to guide Product: NGINX Gateway Fabric --- Learn how to terminate HTTPS traffic using NGINX Gateway Fabric. ## Overview In this guide, we will show how to configure HTTPS termination for your application, using an [HTTPRoute](https://gateway-api.sigs.k8s.io/api-types/httproute/) redirect filter, secret, and [ReferenceGrant](https://gateway-api.sigs.k8s.io/api-types/referencegrant/). **Note:** To validate client certificates using mutual TLS (mTLS), see [Securing frontend client traffic using mutual TLS](/ngf/traffic-security/client-validation.md). --- ## Before you begin - [Install](/ngf/install/) NGINX Gateway Fabric. ## Set up Create the **coffee** application in Kubernetes by copying and pasting the following block into your terminal: ```yaml kubectl apply -f - < 80/TCP 40s ``` ## Configure HTTPS termination and routing For HTTPS, the deployment requires a certificate and a private key stored in a Secret. The Secret lives in a separate namespace, so a ReferenceGrant is required to access it. cert-manager issues the certificate from a local self-signed CA and automatically creates the `cafe-secret` Secret. To create the **certificate** namespace, copy and paste the following into your terminal: ```yaml kubectl apply -f - < GW_HTTPS_PORT= ``` **Note:** In a production environment, you should have a DNS record for the external IP address that is exposed, and it should refer to the hostname that the gateway will forward for. To create the httproute resources, copy and paste the following into your terminal: ```yaml kubectl apply -f - <