Bring your own cert

Serve inbound clients your real certificate — no CA install required.

external clients → TLS Lane → your service

When you need it: You're the server for inbound connections, and clients must trust the connection without installing the TLS Lane CA. You supply a real CA-issued or Let's Encrypt server certificate.
How it works: TLS Lane loads your cert and key at startup, extracts domains from the CN and SANs, and matches inbound connections by SNI (exact, then wildcard). Outbound connections continue to use CA-minted leaves.
Good to know: Inbound direction only. The cert is read at startup — restart the agent after renewal, or use a certbot deploy hook.
TLS version: TLS 1.2 and 1.3

Enable sudo tlslane splice --cert <pem> --key <pem>