# Internal SSL

JupyterHub 1.0 introduces the internal_ssl configuration for encryption and authentication of all internal communication via mutual TLS.

If enabled, the Kubespawner will mount the internal_ssl certificates as Kubernetes secrets into the jupyter user's pod.

## Setup

To enable, use the following settings:

```python
c.JupyterHub.internal_ssl = True

c.JupyterHub.spawner_class = 'kubespawner.KubeSpawner'
```

Further configuration can be specified with the following (listed with their default values):

```python
c.KubeSpawner.secret_name_template = "{pod_name}"

c.KubeSpawner.secret_mount_path =  "/etc/jupyterhub/ssl/"
```

The Kubespawner sets the `JUPYTERHUB_SSL_KEYFILE`, `JUPYTERHUB_SSL_CERTFILE` and `JUPYTERHUB_SSL_CLIENT_CA` environment variables, with the appropriate paths, on the user's notebook server.